Hi All,
I have been running OpenVPN AS for years now, with RADIUS (and RADIUS post auth script) providing authentication and authorization based on AD Group membership. Now I would like to make our OpenVPN server use Duo instead of Google Auth for its second factor, but I'm running into problems.
According to OpenVPN support, only one post-auth script can be run after the authentication process occurs. In our case, we need both the RADIUS script (for authorization) and the Duo script (for 2FA). I was advised by support to combine both scripts into one in order to achieve the functionality we need.
I have tried taking just the relevant pieces of the RADIUS script and inserting them into the Duo script, and combining both scripts into one, leaving them mostly unchanged. I have also tried calling the Duo function at the end of the RADIUS function (and vice-versa), but either I get the RADIUS functionality, or the Duo functionality, but never both.
I think that the order of operations is crucial here, but I'm not sure how to format a script to evaluate (and variablize) the framed pool value being returned from RADIUS (Microsoft NPS) in order to establish what OpenVPN AS group to put the user into, then hand the process off to Duo for subsequent 2FA operations.
I know it's a long shot, but does anyone here have any experience with these scripts? Below are links to the Duo and OpenVPN-provided scripts for the 2FA and RADIUS functionality, respectively. Thanks in advance for your consideration.
RADIUS Script: https://swupdate.openvpn.org/scripts/po ... mapping.py
Duo Script: https://github.com/duosecurity/duo_open ... nvpn_as.py
Trying to combine two post auth scripts: RADIUS and Duo.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue May 23, 2017 3:20 pm
-
- OpenVpn Newbie
- Posts: 3
- Joined: Fri May 19, 2023 6:02 pm
Re: Trying to combine two post auth scripts: RADIUS and Duo.
Hello, I am trying to achieve the same goal with Duo and LDAP group mapping, but combining both into one file does not work for both of the scripts, it only works with duo, but not the ldap group mapping, has anyone done this? because openvpn support says that they do not support custom scripts,