Tutorial: How to Set Up RADIUS Group Mapping with a Post-Auth Script
How to use a custom Python script to automate group mapping with RADIUS authentication.
Overview
You can configure Access Server to use Remote Authentication Dial-in User Service (RADIUS) to provide user authentication. Access Server becomes the RADIUS client, communicating with your RADIUS server containing user credentials. RADIUS is an out-of-the-box Access Server authentication method configured in the Admin Web UI. However, you must configure user permissions and group assignments separately. You can use a Python script to automate this with your centralized authentication.
After successful authentication, the Access Server runs a post-auth (post-authentication) script written in Python3 to perform additional tasks. We provide a post-auth script sample for you to customize for your RADIUS server.
With this tutorial, you can do the following:
Translate Active Directory groups into Access Server groups so that scripts, permissions, and IP assignments correlate to a specific AD group.
Assign a static IP address to a particular user given their AD profile.
AD user/group specific controls for the Access Server 'admin', 'autologin', 'lzo', 'reroute_gw', and 'deny-web' flags.
An installed Access Server
RADIUS authentication configured
RADIUS server
For an Active Directory setup, the NPS role installed and running.
Tip
Refer to the Active Directory RADIUS tutorial for information about the Network Policy steps.
Begin by downloading the post-auth sample script:
Sign on to your Access Server via SSH and obtain root privileges.
Download the script (https://packages.openvpn.net/as/scripts/post_auth_radius_mapping.py):
wget https://packages.openvpn.net/as/scripts/post_auth_radius_mapping.py -O /root/radius.py1
This saves the script to the /root/ directory with the name radius.py.
Tip
If you have problems downloading the script this way, you may need to install/update the wget and/or ca-certificates package(s) on your system.
After downloading the script, load it into your Access Server configuration.
Load the script:
cd /usr/local/openvpn_as/scripts ./sacli --key auth.module.post_auth_script --value_file=/root/radius.py ConfigPut ./sacli start
You've installed the script, and it's ready for use.
Important
If you still need to configure your Access Server to use RADIUS authentication, ensure you do so.
With the script installed, you have three use cases for it:
Add user properties automatically.
Automate group mapping.
Set static IP addresses.
Add user properties automatically
You can add user properties with the RADIUS post-auth script using the Callback-Number RADIUS reply attribute. The callback-number implementation is similar to Linux's permission mask values and consists of the following five bits:
1st (left-most) bit: prop_superuser | Add admin privileges to the connecting user? 0 = no 1 = yes |
2nd (left-most) bit: prop_autologin | Can this user download an autologin profile and have autologin privileges? 0 = no 1 = yes |
3rd (middle) bit: prop_lzo | Turn on LZO compression? 0 = no 1 = yes |
4th (left-most) bit: prop_reroute_gw_override | If redirecting the user's internet traffic over the VPN is turned on globally, the behavior should be modified so that 0 = disable internet routing, 1 = only route DNS servers. NoteThis option has no effect when the redirection isn't turned on globally and thus can't be used to turn on redirection specifically for individual users when the option is turned off globally. |
5th (left-most) bit: prop_deny_web | Deny user access to the web interfaces? 0 = no 1 = yes |
Caution
The processing script ignores any values above not set to zero (0) or one (1) and uses your Access Server's default values. In this article, we use the letter F to indicate default values. The script requires exactly five characters specified to process the callback-number reply attribute. If you don't want to override a specific option, mask it with a letter F, e.g., 11FFF.
Examples
Indicate that a user/group is an admin, with autologin enabled, without overriding any other options: Set callback-number to 11FFF.
Turn off LZO compression for a specific user/group: Set callback-number to FF0FF.
Where to set the callback number
You have two options for where you set the callback number: at the user level or the policy level. For example, here's where to set that with Active Directory:
Set the callback at the user level |
|
Set the callback at the policy level |
|
You can set the callback at both the user and policy levels concurrently. With this configuration, the user level overrides the policy level.
Automate group mapping
You can dynamically map your Active Directory groups to your Access Server groups. Once mapped, groups inherit appropriate group permissions, scripts, and access controls.
To map groups:
Create multiple policies in the Active Directory Network Policies folder inside the NPS snap-in. Each policy corresponds to a single Access Server group.
Example: The different Active Directory groups, Administrators and Sales, need separate policies granting RADIUS access.
For each policy, add the Framed-Pool reply attribute containing the Access Server group name for the policy (e.g., Admin).
You can map multiple Active Directory groups to a single Access Server group.
Active Directory and Access Server groups don't have to have the same corresponding names.
Example
Suppose we want to map the following Active Directory Groups to Access Server groups:
To create these mappings, you create three NPS policies as such:
Policy | Conditions | Settings |
---|---|---|
NPS Policy 1 | Enterprise Admins OR Domain Admins OR Technicians | Add Framed-Pool reply attribute = Admins |
NPS Policy 2 | Sales | Add Framed-Pool reply attribute = Sales |
NPS Policy 3 | Domain Users OR VPN Users | Add Framed-Pool reply attribute = Users |
Caution
The processing script doesn't run error checking for typos or misspelled group names. We recommend that you test these policies after creating them. A typo prevents your users from signing into your server.
Set static IP address within Active Directory and NPS
You can configure Access Server to accept static IP assignments from Active Directory. This uses the Dial-in tab for the user's properties, similar to the setup for automating user properties.
Ensure you satisfy the following requirements first:
The user in question belongs to an Access Server group (set manually in the Admin Web UI under User Permissions or automatically with the post-auth script).
You've defined a group-specific subnet for the user's group.
The static IP address the user gets assigned resides in the group-specific subnet.
Important
You can't use global dynamic/static pools.
If you've met these three criteria, you can assign the specific, static IP address for the user in Active Directory:
From the user's properties, click the Dial-in tab.
Check Assign Static IP Addresses.
Click Static IP Addresses to define the IP address for the user.
Important
If you have typos or a misconfiguration, the user won't be able to connect to your VPN server. If this happens, sign in to the Admin Web UI and review the Log Reports for error details.