Description: If you're using JumpCloud as a RADIUS Server with Access Server, you can automate user group mapping between the RADIUS groups in JumpCloud and groups on your Access Server side.
Follow the steps outlined here.
Step 1: Download the post-auth Python script
Begin by downloading the post-auth sample script:
- Sign on to your Access Server via SSH and obtain root privileges (sudo su).
- Download the script:
wget https://swupdate.openvpn.net/scripts/post_auth_radius_mapping.py -O /root/post_auth_radius_mapping.py
Step 2: Load the script
After downloading the script, load it into your Access Server configuration.
- Load the script:
cd /usr/local/openvpn_as/scripts
./sacli --key auth.module.post_auth_script --value_file=/root/post_auth_radius_mapping.py ConfigPut
./sacli start
You've installed the script, and it's ready for use.
If you still need to configure your Access Server to use RADIUS authentication, ensure you do so.
Step 3: Automate user group mapping
Now you can dynamically map your JumpCloud groups to your Access Server groups. Once mapped, groups inherit appropriate group permissions, scripts, and access controls.
To map groups:
- Sign on to your JumpCloud admin portal.
- Go to User Management > User Groups:
- Select your JumpCloud RADIUS group:
- Go to the RADIUS tab and click add new attribute:
- Under RADIUS Attribute Name, enter "Framed-Pool".
- Under RADIUS Attribute Value, enter the name of the group you want to map on the Access Server side. (In our example, we use "Admin".)
- Click Save.
Step 4: Test the RADIUS Script
Use the tips below to test your setup. Ensure that RADIUS is set as the default authentication method. Set it if needed on Authentication > Settings.
Use the authcli tool
Run a test with the authcli tool where username and password are the LDAP user credentials:
sudo su
cd /usr/local/openvpn_as/scripts/
./authcli --user USERNAME --pass PASSWORD
As an example, suppose we have a JumpCloud RADIUS user, "brandonopenvpn," and a JumpCloud RADIUS group, "Administrators," that we expect to be added and mapped to the Access Server group "Admin."
- Run these commands with the authcli tool:
sudo su
cd /usr/local/openvpn_as/scripts
./authcli --user brandonopenvpn --pass br@nd0n! - The response shows that it succeeded:
API METHOD: authenticate
AUTH_RETURN
status : SUCCEED
user : brandonopenvpn
reason : RADIUS MS-CHAP2 access accepted
auth method : radius
proplist : {'prop_autogenerate': 'true', 'prop_force_lzo': 'false', 'prop_autologin': 'true', 'prop_deny': 'false', 'prop_superuser': 'false', 'conn_group': 'Admin', 'type': 'user_connect'}
session_id : AS_W6626uvfTH7+0lEg83QYVg==
expire : 1707088828
The output shows the following:
- It succeeded:
status : SUCCEED
- The user was added to the "Admin" group:
'conn_group': 'Admin'
To check user properties, run this command:
./sacli --pfilt <USER_OR_GROUP> UserPropGet
When testing this with the user, "brandonopenvpn" here's how it looks:
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# ./sacli --pfilt brandonopenvpn UserPropGet
{
"brandonopenvpn": {
"conn_group": "Admin",
"type": "user_connect"
}
To check this in the Access Server logs, run this command:
grep "RADIUS-Reply" /var/log/openvpnas.log
Or you can use a command specific to the Access Server group:
egrep '"RADIUS-Reply"|Admin' /var/log/openvpnas.log
The log output for user "brandonopenvpn" looks like this:
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# grep "RADIUS-Reply" /var/log/openvpnas.log
2024-02-04T16:59:35-0500 [stdout#info] ***** RADIUS-Reply: Framed-Pool received, setting OpenVPN Access Server group to: Admin
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.