Page 1 of 1

okta radius agent groups integration

Posted: Tue May 17, 2022 5:22 pm
by vlisnyi
Hi, OpenVPN access server has good integration with okta described ... ia-radius/

but manual does not give any clue related to okta groups integration

I have group configuration on the Okta RADIUS application side


and tried some combinations, but the OpenVPN access server does not return routes for the tested group.
I also didn't find any group requests in logs below (I set DEBUG=True in /usr/local/openvpn_as/etc/as.conf)

Code: Select all

tail -f /opt/okta/ragent/logs/okta_radius.access.log /opt/okta/ragent/logs/okta_radius.log /var/log/openvpnas.log
can somebody point me to the correct configuration on the okta radius application side for the OpenVPN access server

Re: okta radius agent groups integration

Posted: Wed May 18, 2022 3:54 pm
by chilinux
The RADIUS support built directly into OpenVPN Access Server is strictly authentication.

To directly answer your question on integrating with Okta's RADIUS for group mapping, you do it via post_auth python script as explained here: ... -examples/

That being said, it should be noted that Okta supports both LDAP and RADIUS. Between those two, I would always choose LDAP over TLS instead of RADIUS. The RADIUS protocol and MS-CHAPv2 have not aged well (PAP and MS-CHAP have aged even worse) in comparison to modern secure authentication protocols. LDAP over TLS instead gets you a fully encrypted session for authentication.

The document above also explains doing group mapping with LDAP.

Re: okta radius agent groups integration

Posted: Fri May 20, 2022 2:18 pm
by vlisnyi
Hi, thanks for the hint, I did this, and below can be found a related script (decided to use radius in this case)

Code: Select all

from pyovpn.plugin import *

def post_auth(authcred, attributes, authret, info):

    # Create user prop list, if one does not already exist
    proplist = authret.setdefault('proplist', {})

    # user properties to save
    proplist_save = {}

    # Proceed with post_auth script if the server is using RADIUS, otherwise skip this script
    if info.get('auth_method') == 'radius':

        # Every valid user should be able to connect to the VPN
        authret['proplist']['prop_autogenerate'] = 'true'

        # If user belong to any groups, set group for that user using priority below
        if 11 in info['radius_reply']:
            print("***** RADIUS-Reply: users groups list:", ''.join(info['radius_reply'].get(11)))
            groups = ''.join(info['radius_reply'].get(11))
            radius_groups = groups.split(";")

            # Adjust these to map the user's radius group membership to an Access Server group.
            if 'test' in radius_groups:
                group = "test"
            elif 'test1' in radius_groups:
                group = "test1"

            authret['proplist']['conn_group'] = group
            proplist_save['conn_group'] = group

    return authret, proplist_save
I made it in the same way as done in the script for LDAP, groups attach to a person in strict order from the most powerful to the least privileged.
This solution is quite simple and think can be useful for other people using okta as SSO for OpenVPN Access Server and who want to use okta groups for providing network access permissions