FreeRadius Issue

stephenw10

It's a setting the OpenVPN server config.

the other

@alvescaio

There...

But wouldn't that only make sure, that users have their own (common name matching!) certs?

stephenw10

Yes, but otherwise you could have a common cert for all users. Or, as may be happening here, a user could login using a username that doesn't match the user cert.

the other

hey there,
okay, I use openvpn with freeradius and 2fa (otp) as well.

I just tried this:

1. created a testuser
2. gave him his own usercert
3. created a freeradius user for testuser, gave him his own init-secret (not the same one as my main user)
4. I work with pins (additional to otp), gave testuser his own 4-digit pin
5. did not set cn-match active
6. exported vpn-config and imported on android device
   ...
   a) tried with my main user and OTP of testuser....auth failed
   b) tried vice-versa (testuser with OTP from mainuser)...auth failed

So, I cannot really create that problem here on my machine it seems...
Each user has his/her/its own username, usercert AND init-secret for OTP creation. It won't work using user A with OTP from user B here (which is what you want in the 1st place, right?).
So, no clue why it ain't working for you.

Does this criss-crossing of OTPs also work with pfsense's Test Authentication under Diagnostics > Authentication? Here it won't. Each user need his /her own name and OTP...at least that's what my testing showed (hoping I did it right)... ;)

alvescaio

@the-other So gentlemen, I did exactly the process listed above, each user has their own certificate that is created when the user is created, I don't know if there is any way to link the user manager user with the freeradius user. EXAMPLE: when I create user A, and then create a user in freeradius for this user A authentication, I have to do some additional configuration.

the other

@alvescaio I don't think a "link" is necessary...
Use the same name in User Management as in Freeradius User.
In Freeradius no password needs to be set (since you use OTP...and PIN).
Generate the init-secret, chose PIN (if wanted), scan QR-code, import in Auth-app. Then make sure you test under Diagnostics > Auth...should get a green sign with positive result.
Export openvpn cert with external auth, import...should do the trick, I hope.

alvescaio

@the-other I think if something that I dont seeing.

stephenw10

If you set Strict User-CN Matching then the use can only login with a username matching the cert CN. That will be defined in the local users but as long as Freeradius uses the same usernames it will apply the same there. It will fail if they try to login using a different username.

alvescaio

@stephenw10 said in FreeRadius Issue:

If you set Strict User-CN Matching then the use can only login with a username matching the cert CN. That will be defined in the local users but as long as Freeradius uses the same usernames it will apply the same there. It will fail if they try to login using a different username.

hello gentlemen. Exactly that my friend, I made this config to enable strict CN and it started working normally, now I no longer have the problem, really thanks. I was thinking I had found a vulnerability in FreeRadius rs.

stephenw10

Ah, nice.