I'm going through the openvpn howto, section "Configuring client-specific rules and access policies", http://openvpn.net/index.php/documentation/howto.html#policy.

I understand how the network is segregated, different subnets for employees, sys admins and contractors.

I don't understand how openvpn identifies a user as either an employee, sys admin or contractor.

Is that what the next section, "Using alternative authentication methods" deals with? Does it involve using the openvpn-auth-pam plugin?

I don't see where else openvpn could recognize a user, other than if the client built it into their certificate.

For example, is this how it works:

You login with user sysadmin1 / some password via the openvpn-auth-pam plugin, openvpn recognizes the sysadmin1 user and invokes "ifconfig-push".

Hello shwick:

There are two ways to authenticate users to a vpn server. One way is to do it by shared-static keys. This method is the less secure of the two, and some people do not recommend it for production. The second and more secure method is via certificates. You create certificates for each client. The certificate, along with a password, are used to authenticate each client against your vpn server.

The process of creating certificates can be broken down in three steps:
1. Create your own Certificate Authority (CA) certificate.
2. Create an OpenVPN server certificate.
3. Generate client certificates.

Let me know how this goes, if you are still working on this.
I hope this helps.