okta radius agent groups integration

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
vlisnyi
OpenVpn Newbie
Posts: 9
Joined: Mon May 16, 2022 1:35 pm

okta radius agent groups integration

Post by vlisnyi » Tue May 17, 2022 5:22 pm

Hi, OpenVPN access server has good integration with okta described https://openvpn.net/vpn-server-resource ... ia-radius/

but manual does not give any clue related to okta groups integration

I have group configuration on the Okta RADIUS application side

Image

and tried some combinations, but the OpenVPN access server does not return routes for the tested group.
I also didn't find any group requests in logs below (I set DEBUG=True in /usr/local/openvpn_as/etc/as.conf)

Code: Select all

tail -f /opt/okta/ragent/logs/okta_radius.access.log /opt/okta/ragent/logs/okta_radius.log /var/log/openvpnas.log
can somebody point me to the correct configuration on the okta radius application side for the OpenVPN access server

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: okta radius agent groups integration

Post by chilinux » Wed May 18, 2022 3:54 pm

The RADIUS support built directly into OpenVPN Access Server is strictly authentication.

To directly answer your question on integrating with Okta's RADIUS for group mapping, you do it via post_auth python script as explained here:
https://openvpn.net/vpn-server-resource ... -examples/

That being said, it should be noted that Okta supports both LDAP and RADIUS. Between those two, I would always choose LDAP over TLS instead of RADIUS. The RADIUS protocol and MS-CHAPv2 have not aged well (PAP and MS-CHAP have aged even worse) in comparison to modern secure authentication protocols. LDAP over TLS instead gets you a fully encrypted session for authentication.

The document above also explains doing group mapping with LDAP.

vlisnyi
OpenVpn Newbie
Posts: 9
Joined: Mon May 16, 2022 1:35 pm

Re: okta radius agent groups integration

Post by vlisnyi » Fri May 20, 2022 2:18 pm

Hi, thanks for the hint, I did this, and below can be found a related script (decided to use radius in this case)

Code: Select all

from pyovpn.plugin import *


def post_auth(authcred, attributes, authret, info):

    # Create user prop list, if one does not already exist
    proplist = authret.setdefault('proplist', {})

    # user properties to save
    proplist_save = {}

    # Proceed with post_auth script if the server is using RADIUS, otherwise skip this script
    if info.get('auth_method') == 'radius':

        # Every valid user should be able to connect to the VPN
        authret['proplist']['prop_autogenerate'] = 'true'

        # If user belong to any groups, set group for that user using priority below
        if 11 in info['radius_reply']:
            print("***** RADIUS-Reply: users groups list:", ''.join(info['radius_reply'].get(11)))
            groups = ''.join(info['radius_reply'].get(11))
            radius_groups = groups.split(";")

            # Adjust these to map the user's radius group membership to an Access Server group.
            if 'test' in radius_groups:
                group = "test"
            elif 'test1' in radius_groups:
                group = "test1"

            authret['proplist']['conn_group'] = group
            proplist_save['conn_group'] = group

    return authret, proplist_save
I made it in the same way as done in the script for LDAP, groups attach to a person in strict order from the most powerful to the least privileged.
This solution is quite simple and think can be useful for other people using okta as SSO for OpenVPN Access Server and who want to use okta groups for providing network access permissions

Post Reply