Skip to main content

Tutorial: How to Set Up RADIUS Group Mapping with a Post-Auth Script

Abstract

How to use a custom Python script to automate group mapping with RADIUS authentication.

Overview

You can configure Access Server to use Remote Authentication Dial-in User Service (RADIUS) to provide user authentication. Access Server becomes the RADIUS client, communicating with your RADIUS server containing user credentials. RADIUS is an out-of-the-box Access Server authentication method configured in the Admin Web UI. However, you must configure user permissions and group assignments separately. You can use a Python script to automate this with your centralized authentication.

After successful authentication, the Access Server runs a post-auth (post-authentication) script written in Python3 to perform additional tasks. We provide a post-auth script sample for you to customize for your RADIUS server.

With this tutorial, you can do the following:

  • Translate Active Directory groups into Access Server groups so that scripts, permissions, and IP assignments correlate to a specific AD group.

  • Assign a static IP address to a particular user given their AD profile.

  • AD user/group specific controls for the Access Server 'admin', 'autologin', 'lzo', 'reroute_gw', and 'deny-web' flags.

  • An installed Access Server

  • RADIUS authentication configured

  • RADIUS server

  • For an Active Directory setup, the NPS role installed and running.

Tip

Refer to the Active Directory RADIUS tutorial for information about the Network Policy steps.

Begin by downloading the post-auth sample script:

  1. Sign on to your Access Server via SSH and obtain root privileges.

  2. Download the script (https://packages.openvpn.net/as/scripts/post_auth_radius_mapping.py):

    wget https://packages.openvpn.net/as/scripts/post_auth_radius_mapping.py -O /root/radius.py1

    1

    This saves the script to the /root/ directory with the name radius.py.

    Tip

    If you have problems downloading the script this way, you may need to install/update the wget and/or ca-certificates package(s) on your system.

After downloading the script, load it into your Access Server configuration.

  • Load the script:

    cd /usr/local/openvpn_as/scripts
    ./sacli --key auth.module.post_auth_script --value_file=/root/radius.py ConfigPut
    ./sacli start
    • You've installed the script, and it's ready for use.

Important

If you still need to configure your Access Server to use RADIUS authentication, ensure you do so.

With the script installed, you have three use cases for it:

  1. Add user properties automatically.

  2. Automate group mapping.

  3. Set static IP addresses.

Add user properties automatically

You can add user properties with the RADIUS post-auth script using the Callback-Number RADIUS reply attribute. The callback-number implementation is similar to Linux's permission mask values and consists of the following five bits:

1st (left-most) bit: prop_superuser

Add admin privileges to the connecting user?

0 = no

1 = yes

2nd (left-most) bit: prop_autologin

Can this user download an autologin profile and have autologin privileges?

0 = no

1 = yes

3rd (middle) bit: prop_lzo

Turn on LZO compression?

0 = no

1 = yes

4th (left-most) bit: prop_reroute_gw_override

If redirecting the user's internet traffic over the VPN is turned on globally, the behavior should be modified so that 0 = disable internet routing, 1 = only route DNS servers.

Note

This option has no effect when the redirection isn't turned on globally and thus can't be used to turn on redirection specifically for individual users when the option is turned off globally.

5th (left-most) bit: prop_deny_web

Deny user access to the web interfaces?

0 = no

1 = yes

Caution

The processing script ignores any values above not set to zero (0) or one (1) and uses your Access Server's default values. In this article, we use the letter F to indicate default values. The script requires exactly five characters specified to process the callback-number reply attribute. If you don't want to override a specific option, mask it with a letter F, e.g., 11FFF.

Examples

  1. Indicate that a user/group is an admin, with autologin enabled, without overriding any other options: Set callback-number to 11FFF.

  2. Turn off LZO compression for a specific user/group: Set callback-number to FF0FF.

Where to set the callback number

You have two options for where you set the callback number: at the user level or the policy level. For example, here's where to set that with Active Directory:

Set the callback at the user level

ADUserProp.png
  1. Under Active Directory Users and Computers, from the user's properties, click the Dial-in tab.

  2. Under Callback Options, select Always Callback to: and enter the value in the text field (e.g., 1FFFF).

Set the callback at the policy level

NPSPolicyAdd.png
  1. Open the Server Manager.

  2. From the policy's Settings tab, navigate to NPC MMS snap-in.

  3. Add a Callback-Number attribute and enter the desired value (e.g., 1FFFF),

  4. A string (not hexadecimal) of five characters is expected when adding the reply attribute.

You can set the callback at both the user and policy levels concurrently. With this configuration, the user level overrides the policy level.

Automate group mapping

You can dynamically map your Active Directory groups to your Access Server groups. Once mapped, groups inherit appropriate group permissions, scripts, and access controls.

To map groups:

  1. Create multiple policies in the Active Directory Network Policies folder inside the NPS snap-in. Each policy corresponds to a single Access Server group.

    • Example: The different Active Directory groups, Administrators and Sales, need separate policies granting RADIUS access.

  2. For each policy, add the Framed-Pool reply attribute containing the Access Server group name for the policy (e.g., Admin).

    • You can map multiple Active Directory groups to a single Access Server group.

    • Active Directory and Access Server groups don't have to have the same corresponding names.

Example

Suppose we want to map the following Active Directory Groups to Access Server groups:

active-directory-group-mapping.png

To create these mappings, you create three NPS policies as such:

Policy

Conditions

Settings

NPS Policy 1

Enterprise Admins OR Domain Admins OR Technicians

Add Framed-Pool reply attribute = Admins

NPS Policy 2

Sales

Add Framed-Pool reply attribute = Sales

NPS Policy 3

Domain Users OR VPN Users

Add Framed-Pool reply attribute = Users

Caution

The processing script doesn't run error checking for typos or misspelled group names. We recommend that you test these policies after creating them. A typo prevents your users from signing into your server.

Set static IP address within Active Directory and NPS

You can configure Access Server to accept static IP assignments from Active Directory. This uses the Dial-in tab for the user's properties, similar to the setup for automating user properties.

Ensure you satisfy the following requirements first:

  • The user in question belongs to an Access Server group (set manually in the Admin Web UI under User Permissions or automatically with the post-auth script).

  • You've defined a group-specific subnet for the user's group.

  • The static IP address the user gets assigned resides in the group-specific subnet.

    Important

    You can't use global dynamic/static pools.

If you've met these three criteria, you can assign the specific, static IP address for the user in Active Directory:

  1. From the user's properties, click the Dial-in tab.

  2. Check Assign Static IP Addresses.

  3. Click Static IP Addresses to define the IP address for the user.

Important

If you have typos or a misconfiguration, the user won't be able to connect to your VPN server. If this happens, sign in to the Admin Web UI and review the Log Reports for error details.