Page 1 of 1
okta radius agent groups integration
Posted: Tue May 17, 2022 5:22 pm
by vlisnyi
Hi, OpenVPN access server has good integration with okta described
https://openvpn.net/vpn-server-resource ... ia-radius/
but manual does not give any clue related to okta groups integration
I have group configuration on the Okta RADIUS application side
and tried some combinations, but the OpenVPN access server does not return routes for the tested group.
I also didn't find any group requests in logs below (I set DEBUG=True in /usr/local/openvpn_as/etc/as.conf)
Code: Select all
tail -f /opt/okta/ragent/logs/okta_radius.access.log /opt/okta/ragent/logs/okta_radius.log /var/log/openvpnas.log
can somebody point me to the correct configuration on the okta radius application side for the OpenVPN access server
Re: okta radius agent groups integration
Posted: Wed May 18, 2022 3:54 pm
by chilinux
The RADIUS support built directly into OpenVPN Access Server is strictly authentication.
To directly answer your question on integrating with Okta's RADIUS for group mapping, you do it via post_auth python script as explained here:
https://openvpn.net/vpn-server-resource ... -examples/
That being said, it should be noted that Okta supports both LDAP and RADIUS. Between those two, I would always choose LDAP over TLS instead of RADIUS. The RADIUS protocol and MS-CHAPv2 have not aged well (PAP and MS-CHAP have aged even worse) in comparison to modern secure authentication protocols. LDAP over TLS instead gets you a fully encrypted session for authentication.
The document above also explains doing group mapping with LDAP.
Re: okta radius agent groups integration
Posted: Fri May 20, 2022 2:18 pm
by vlisnyi
Hi, thanks for the hint, I did this, and below can be found a related script (decided to use radius in this case)
Code: Select all
from pyovpn.plugin import *
def post_auth(authcred, attributes, authret, info):
# Create user prop list, if one does not already exist
proplist = authret.setdefault('proplist', {})
# user properties to save
proplist_save = {}
# Proceed with post_auth script if the server is using RADIUS, otherwise skip this script
if info.get('auth_method') == 'radius':
# Every valid user should be able to connect to the VPN
authret['proplist']['prop_autogenerate'] = 'true'
# If user belong to any groups, set group for that user using priority below
if 11 in info['radius_reply']:
print("***** RADIUS-Reply: users groups list:", ''.join(info['radius_reply'].get(11)))
groups = ''.join(info['radius_reply'].get(11))
radius_groups = groups.split(";")
# Adjust these to map the user's radius group membership to an Access Server group.
if 'test' in radius_groups:
group = "test"
elif 'test1' in radius_groups:
group = "test1"
authret['proplist']['conn_group'] = group
proplist_save['conn_group'] = group
return authret, proplist_save
I made it in the same way as done in the script for LDAP, groups attach to a person in strict order from the most powerful to the least privileged.
This solution is quite simple and think can be useful for other people using okta as SSO for OpenVPN Access Server and who want to use okta groups for providing network access permissions