OpenVPN Access Server post_auth RADIUS group mapping script
You can configure Access Server to use Remote Authentication Dial-in User Service (RADIUS) to provide user authentication. Access Server becomes the RADIUS client, communicating with your RADIUS server containing user credentials. RADIUS is an out-of-the-box Access Server authentication method configured in the Admin Web UI. However, you must configure user permissions and group assignments separately. You can use a Python script to automate this with your centralized authentication.
After successful authentication, the Access Server runs a post-auth (post-authentication) script written in Python3 to perform additional tasks. We provide a post-auth script sample for you to customize for your RADIUS server.
This document walks you through the following steps for setting up RADIUS group mapping:
- Download the post-auth script.
- Load the script to your Access Server.
- Set reply attributes for your use case(s).
- Check that it’s working correctly.
With this guide, you can do the following:
- Translate Active Directory groups into Access Server groups so that scripts, permissions, and IP assignments correlate to a specific AD group.
- Assign a static IP address to a particular user given their AD profile.
- AD user/group specific controls for the Access Server 'admin', 'autologin', 'lzo', 'reroute_gw', and 'deny-web' flags.
To configure this RADIUS group mapping script with an Active Directory server, you must have the NPS role installed and running. Refer to Configuring Active Directory (Windows Server) RADIUS Protocol for OpenVPN Access Server for information about the Network Policy steps.
Download the post-auth Python script
Begin by downloading the post-auth sample script:
- Sign on to your Access Server via SSH and obtain root privileges.
- Download the script:
wget https://swupdate.openvpn.net/scripts/post_auth_radius_mapping.py -O post_auth_radius_mapping.py
Load the script
After downloading the script, load it into your Access Server configuration.
- Load the script:
./sacli --key auth.module.post_auth_script --value_file=post_auth_radius_mapping.py ConfigPut
You've installed the script, and it's ready for use.
If you still need to configure your Access Server to use RADIUS authentication, ensure you do so.
Set reply attributes for use cases
With the script installed, you have three use cases for it:
- Add user properties automatically.
- Automate group mapping.
- Set static IP addresses.
Add user properties automatically
Using the Callback-Number RADIUS reply attribute, you can add user properties with the RADIUS post-auth script. The callback number implementation is similar to Linux's permission mask values and consists of the following five bits:
|1st (left-most) bit: prop_superuser||Add admin privileges to the connecting user?|
0 = no
1 = yes
|2nd (left-most) bit: prop_autologin||Can this user download an autologin profile and have autologin privileges?|
0 = no
1 = yes
|3rd (middle) bit: prop_lzo||Turn on LZO compression?|
0 = no
1 = yes
|4th (left-most) bit: prop_reroute_gw_override||If redirecting the user's internet traffic over the VPN is turned on globally, the behavior should be modified so that 0 = disable internet routing, 1 = only route DNS servers.|
Note: this option has no effect when the redirection isn't turned on globally and thus can't be used to turn on redirection specifically for individual users when the option is turned off globally.
|5th (left-most) bit: prop_deny_web||Deny user access to the web interfaces?|
0 = no
1 = yes
Note: The processing script ignores any values above not set to zero (0) or one (1) and uses your Access Server's default values. In this article, we use the letter F to indicate default values. The script requires exactly five characters specified to process the callback-number reply attribute. If you don't want to override a specific option, mask it with a letter F, e.g., 11FFF.
- Indicate that a user/group is an admin, with autologin enabled, without overriding any other options: Set callback-number to 11FFF.
- Turn off LZO compression for a specific user/group: Set callback-number to FF0FF.
Where to set the callback number:
You have two options for where you set the callback number: at the user level or the policy level. For example, here's where to set that with Active Directory:
|Set the callback at the user level|
|Set the callback at the policy level|
You can set the callback at both the user and policy levels concurrently. With this configuration, the user level overrides the policy level.
Automate group mapping
You can dynamically map your Active Directory groups to your Access Server groups. Once mapped, groups inherit appropriate group permissions, scripts, and access controls.
To map groups:
- Create multiple policies in the Active Directory Network Policies folder inside the NPS snap-in — each policy corresponds to a single Access Server group.
- Example: The different Active Directory groups, Administrators and Sales, need separate policies granting RADIUS access.
- For each policy, add the Framed-Pool reply attribute containing the Access Server group name for the policy (e.g., Admin).
- You can map multiple Active Directory groups to a single Access Server group.
- Active Directory and Access Server groups don't have to have the same corresponding names.
Suppose we want to map the following Active Directory Groups to Access Server groups:
To create these mappings, you create three NPS policies as such:
- NPS Policy 1:
Conditions: Enterprise Admins OR Domain Admins OR Technicians
Settings: Add Framed-Pool reply attribute = Admins
- NPS Policy 2:
Settings: Add Framed-Pool reply attribute = Sales
- NPS Policy 3:
Conditions: Domain Users OR VPN Users
Settings: Add Framed-Pool reply attribute = Users
Note: The processing script doesn't run error checking for typos or misspelled group names. We recommend that you test these policies after creating them. A typo prevents your users from signing into your server.
Set static IP address within Active Directory and NPS
You can configure Access Server to accept static IP assignments from Active Directory. This uses the Dial-in tab for the user's properties, similar to the setup for automating user properties.
Ensure you satisfy the following requirements first:
- The user in question belongs to an Access Server group (set manually in the Admin Web UI under User Permissions or automatically with the post-auth script).
- You've defined a group-specific subnet for the user's group.
- The static IP address the user gets assigned resides in the group-specific subnet. (Note: You can't use global dynamic/static pools.)
If you've met these three criteria, you can assign the specific, static IP address for the user in Active Directory:
- From the user's properties, click the Dial-in tab.
- Check Assign Static IP Addresses.
- Click Static IP Addresses to define the IP address for the user.
If you have typos or a misconfiguration, the user won't be able to connect to your VPN server. If this happens, sign in to the Admin Web UI and review the Log Reports for error details.