openvpn radius auth + groups subnet restrictions
Posted: Wed Mar 08, 2017 9:03 pm
Trying to determine how to replicate groups in openvpn community like openvpn-as has. In openvpn-as, one can create groups that have subnet restrictinos, so only certain user groups are allowed to access certain subnets.
On our openvpn-as, we're using radius to authenticate users, our radius (MS NPS) passes back a framed-pool attribute (88) to specify the group. A python script that was installed with sacli picks up the group from the radius framed pool attribute, then maps it to an identically named group that is defined statically, and the subnet restrictions are applied.
My question is how to replicate this (group restrictions) in openvpn-community. I've seen 'creating static CN -> IP mappings with ccd' mentioned, looking for tips on how this would look in the config of openvpn-community.
Thanks
On our openvpn-as, we're using radius to authenticate users, our radius (MS NPS) passes back a framed-pool attribute (88) to specify the group. A python script that was installed with sacli picks up the group from the radius framed pool attribute, then maps it to an identically named group that is defined statically, and the subnet restrictions are applied.
My question is how to replicate this (group restrictions) in openvpn-community. I've seen 'creating static CN -> IP mappings with ccd' mentioned, looking for tips on how this would look in the config of openvpn-community.
Thanks