Skip to main content

Tutorial: RADIUS Group Mapping with JumpCloud

Abstract

How to use a custom Python script to automate group mapping with RADIUS authentication and JumpCloud as the identity provider.

Overview

We provide a separate tutorial for setting up RADIUS group mapping using a post-authentication (post-auth) Python script that details steps taken with Active Directory. This tutorial provides steps using JumpCloud as the identity provider.

By following this tutorial, you can dynamically map your JumpCloud user groups to your Access Server groups. Once mapped, groups inherit appropriate group permissions, scripts, and access controls.

For a tutorial on using JumpCloud as your identity provider with the RADIUS authentication method, refer to Tutorial: Configure JumpCloud with Access Server via RADIUS.

Prerequisites

  • An installed Access Server

  • RADIUS authentication configured

  • RADIUS server with JumpCloud

Step 1: Configure the JumpCloud RADIUS application to send the Framed-Pool (88)

  1. Sign in to your JumpCloud admin portal.

  2. Click User Management > User Groups.

  3. Locate and click on the RADIUS Groups you want to map with your Access Server.

    Tip

    If you still need to set up RADIUS authentication with JumpCloud, refer to Tutorial: Configure JumpCloud with Access Server via RADIUS.

  4. Go to the RADIUS tab.

  5. Under RADIUS Reply Attributes:

    • RADIUS Attribute Name: Enter Framed-Pool.

    • RADIUS Attribute Value: Enter the name of the JumpCloud group you want to map. For example, Administrators if that is the group name in JumpCloud.

  6. Scroll down and ensure this user group is attached to your RADIUS application. If it's not, select it.

  7. Click Save Group to confirm your changes.

    Important

    If you want to map the same group name on Access Server, ensure an Access Server group with that name (e.g., Administrators) exists. Otherwise, you can adapt the script to map Administrators to a different Acess Server group name.

Step 2: Download the post-auth script to Access Server

Download the post-auth sample script:

  1. Sign on to your Access Server via SSH and obtain root privileges.

  2. Download the script (https://packages.openvpn.net/as/scripts/post_auth_radius_mapping.py):

    wget https://packages.openvpn.net/as/scripts/post_auth_radius_mapping.py -O /root/radius.py1

    1

    This saves the script to the /root/ directory with the name radius.py.

    Tip

    If you have problems downloading the script this way, you may need to install/update the wget and/or ca-certificates package(s) on your system.

Step 3: Load the script

  • Load the script:

    cd /usr/local/openvpn_as/scripts
./sacli --key auth.module.post_auth_script --value_file=/root/radius.py ConfigPut
./sacli start

    • You've installed the script, and it's ready for use.

The current script does the following for JumpCloud configurations:

  • Checks if the user authenticated via RADIUS (i.e., JumpCloud).

  • Looks for the Framed-Pool attribute (code 88) in the RADIUS reply.

  • If found, sets the value as the user's conn_group (which is the Access Server group).

  • If not found, prints a warning message to the logs.

Step 4: Test the setup

  1. Connect to the Access Server console and get root privileges.

  3. Test using authcli (replacing USERNAME and PASSWORD with real JumpCloud credentials):

    ./authcli --user USERNAME --pass PASSWORD

    • If successful, you should see:

      status : SUCCEED
...
conn_group : Administrators

  4. Confirm the assigned group:

    ./sacli --pfilt USERNAME_OR_GROUP UserPropGet

    • This displays the user's properties, including the conn_group set to Administrators (or your mapped group).

  5. Inspect the logs for output mentioning "Framed-Pool received":

    grep "RADIUS-Reply" /var/log/openvpnas.log

Tips and Notes

  • Matching group names:

    • If you want the JumpCloud group name and the Access Server group name to differ, adjust the script to map them explicitly. For example:

      # If Framed-Pool is set, set that as the group for the AS server
if 88 in info['radius_reply']:
    print("***** RADIUS-Reply: Framed-Pool received with Group:", ''.join(info['radius_reply'].get(88)))
    jumpcloud_group = ''.join(info['radius_reply'].get(88))

    # Adjust these to map JumpCloud RADIUS group memberships to Access Server groups
    if 'Administrators' in jumpcloud_group:
        group = "admin"
    elif 'Security' in jumpcloud_group:
        group = "tech"
    elif 'Accounting' in jumpcloud_group:
        group = "finance"

    print("***** RADIUS-Reply: Framed-Pool received, setting OpenVPN Access Server group to:", group)
    authret['proplist']['conn_group'] = group
    proplist_save['conn_group'] = group

  • Group permissions & ACLs:

    • Once the user is placed in the Access Server group, any group-level permissions, ACLs, or scripts associated with that group automatically apply.

In this section: