Skip to main content

Tutorial: RADIUS Group Mapping with Okta

Abstract

How to use a custom Python script to automate group mapping with RADIUS authentication and OKTA as the identity provider.

Overview

We provide a separate tutorial for setting up RADIUS group mapping using a post-authentication (post-auth) Python script that details steps taken with Active Directory. This tutorial provides steps using Okta as the identity provider.

By following this tutorial, you can dynamically map your Okta user groups to your Access Server groups. Once mapped, groups inherit appropriate group permissions, scripts, and access controls.

For a tutorial on using Okta as your identity provider with the RADIUS authentication method, refer to Tutorial: Integrate Okta with Access Server via RADIUS.

Prerequisites

  • An installed Access Server

  • RADIUS authentication configured

  • RADIUS server with Okta

Step 1: Configure the Okta RADIUS application to send the Filter-ID (11)

  1. Sign in to your Okta admin portal.

  2. Click Applications > Applications.

  3. Locate and click on the RADIUS application you set up for Access Server.

    Tip

    If you still need to set up RADIUS authentication with Okta refer to Tutorial: Integrate Okta with Access Server via RADIUS.

  4. Go to the Sign On tab.

  5. Scroll down to Advanced RADIUS Settings and click Edit.

  6. Under Group Response, check Include groups in RADIUS response.

    • RADIUS attribute: Select 11-Filter-Id.

    • Group memberships to return: Enter the name of the Okta group you want to map. For example, OKTA1 if that is the group name in Okta.

  7. Click Save to confirm your changes.

    Important

    If you want to map the same group name on Access Server, ensure an Access Server group with that name (e.g., OKTA1) exists. Otherwise, you can adapt the script to map OKTA1 to a different Acess Server group name.

Step 2: Download the post-auth script to Access Server

Download the post-auth sample script:

  1. Sign on to your Access Server via SSH and obtain root privileges.

  2. Download the script (https://packages.openvpn.net/as/scripts/post_auth_radius_mapping.py):

    wget https://packages.openvpn.net/as/scripts/post_auth_radius_mapping.py -O /root/radius.py1

    1

    This saves the script to the /root/ directory with the name radius.py.

    Tip

    If you have problems downloading the script this way, you may need to install/update the wget and/or ca-certificates package(s) on your system.

Step 3: Load the script

  • Load the script:

    cd /usr/local/openvpn_as/scripts
./sacli --key auth.module.post_auth_script --value_file=/root/radius.py ConfigPut
./sacli start

    • You've installed the script, and it's ready for use.

The current script does the following for Okta configurations:

  • Checks if the user authenticated via RADIUS (i.e., Okta).

  • Looks for the Filter-Id attribute (code 11) in the RADIUS reply.

  • If found, sets the value as the user's conn_group (which is the Access Server group).

  • If not found, prints a warning message to the logs.

Step 4: Test the setup

  1. Connect to the Access Server console and get root privileges.

  3. Test using authcli (replacing USERNAME and PASSWORD with real Okta credentials):

    ./authcli --user USERNAME --pass PASSWORD

    • If successful, you should see:

      status : SUCCEED
...
conn_group : OKTA1

  4. Confirm the assigned group:

    ./sacli --pfilt USERNAME_OR_GROUP UserPropGet

    • This displays the user's properties, including the conn_group set to OKTA1 (or your mapped group).

  5. Inspect the logs for output mentioning "Filter-Id received":

    grep "RADIUS-Reply" /var/log/openvpnas.log

Tips and Notes

  • Matching group names:

    • If you want the Okta group name and the Access Server group name to differ, adjust the script to map them explicitly. For example:

      # If Filter-Id is set, set that as the group for the AS server
if 11 in info['radius_reply']:
    print("***** RADIUS-Reply: Filter-Id received, setting OpenVPN Access Server group to:", ''.join(info['radius_reply'].get(11)))
    okta_group = ''.join(info['radius_reply'].get(11))

    # Adjust these to map OKTA RADIUS group memberships to Access Server groups
    if 'OKTA1' in okta_group:
        group = "Admin"
    elif 'OKTA2' in okta_group:
        group = "sales"
    elif 'OKTA3' in okta_group:
        group = "finance"

  • Other RADIUS servers:

    • This same logic applies to FreeRADIUS, JumpCloud RADIUS, Windows AD RADIUS, etc., as long as you configure the RADIUS attribute 11 for group information.

  • Group permissions & ACLs:

    • Once the user is placed in the Access Server group, any group-level permissions, ACLs, or scripts associated with that group automatically apply.

In this section: