Success! I've successfully gotten OpenVPN + PAM + FreeRADIUS authenticating!!
-
I am running pfsense 1.2Release.
I followed the tutorial above but it looks like i do not have the openvpn-auth-pam.so plugin in /usr/local/lib and therefore i get the following error:
Mar 17 19:43:12 openvpn[29060]: Exiting
Mar 17 19:43:12 openvpn[29060]: PLUGIN_INIT: could not load plugin shared object /usr/local/lib/openvpn-auth-pam.so: Service unavailable: Too many links (errno=31)
Mar 17 19:43:12 openvpn[29060]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007the tutorial suggest running pkg_add -r openvpn to update to the latest openvpn version, i already have Openvpn 2.0.6, but ran the command anyway, and got an FTP failure error (apparently th file isn't there anymore?):
Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.2-release/Latest/openvpn.tbz: File unavailable (e.g., file not found, no access)
Is there any way i can get openvpn-auth-pam.so copied over to my pfsense ?
thanks
ALEX
-
Hi Alexb,
It looks like you might be running an old version of the 1.2-release. Can you try updating to the 1.2.2x?
Make a backup of your system, then download the "latest.tgz" and start an update.
http://updates.pfsense.com/_updaters/-E
I am running pfsense 1.2Release.
I followed the tutorial above but it looks like i do not have the openvpn-auth-pam.so plugin in /usr/local/lib and therefore i get the following error:
Mar 17 19:43:12 openvpn[29060]: Exiting
Mar 17 19:43:12 openvpn[29060]: PLUGIN_INIT: could not load plugin shared object /usr/local/lib/openvpn-auth-pam.so: Service unavailable: Too many links (errno=31)
Mar 17 19:43:12 openvpn[29060]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007the tutorial suggest running pkg_add -r openvpn to update to the latest openvpn version, i already have Openvpn 2.0.6, but ran the command anyway, and got an FTP failure error (apparently th file isn't there anymore?):
Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.2-release/Latest/openvpn.tbz: File unavailable (e.g., file not found, no access)
Is there any way i can get openvpn-auth-pam.so copied over to my pfsense ?
thanks
ALEX
-
Updating to a the 1.2.2 version of pfsense is a little too radical of a solution to include the auth-pam plugin to my system. Updating pfsense would require a lot of testing which i am not willing to do just to add the PAM plugin. Anyone has an idea as to :
-
Why i do not have the pam plugin on my system as oppose to everyone on this thread who was successful
-
How could i get the plugin loaded on my system without upgrading my pfsense version?
-
-
Updating to a the 1.2.2 version of pfsense is a little too radical of a solution to include the auth-pam plugin to my system. Updating pfsense would require a lot of testing which i am not willing to do just to add the PAM plugin. Anyone has an idea as to :
-
Why i do not have the pam plugin on my system as oppose to everyone on this thread who was successful
-
How could i get the plugin loaded on my system without upgrading my pfsense version?
-
-
I've followed here and got everything installed, the RADIUS auth fails:
Tue May 19 07:53:39 2009 us=971748 24.80.65.8:51670 ENVP[24] = 'link_mtu=1543'
Tue May 19 07:53:39 2009 us=971772 24.80.65.8:51670 ENVP[25] = 'dev=tun0'
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER/PASS: user1/password1
AUTH-PAM: BACKGROUND: my_conv[0] query='RADIUS Password:' style=1
AUTH-PAM: BACKGROUND: my_conv[0] query='pam_radius: pam_sm_authenticate: Radius failure
' style=3
AUTH-PAM: BACKGROUND: user 'user1' failed to authenticate: authentication information is unavailable
Tue May 19 07:53:48 2009 us=975656 x.x.x.x:51670 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue May 19 07:53:48 2009 us=975682 x.x.x.x:51670 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn-auth-pam.so
Tue May 19 07:53:48 2009 us=975706 x.x.x.x:51670 TLS Auth Error: Auth Username/Password verification failed for peer
Tue May 19 07:53:48 2009 us=975837 MULTI TCP: multi_tcp_post TA_SOCKET_READ_RESIDUAL -> TA_SOCKET_WRITEDoes a port need to be opened for FreeRADIUS? What else can I do to debug this?
-
OK, I noticed radiussd was core dumping, and that it was commenting on auth_log - so i commented these lines out:
#log_auth =
#log_auth_badpass =
#log_auth_goodpass =Looks good now.
-
I've found a radiusplugin (http://www.nongnu.org/radiusplugin/) for OpenVPN, but it seems only to work in LINUX.
My problem is that I would like to limit users with radius (Simultanous Use, et cetera), but it doesn't works, due to the PAM plugin doesn't send any accounting packages to RADIUS (works only with AUTH).
Have anyone got it to work in FreeBSD or have any other clue how to work around this problem?
I'll be running about 3-4 OpenVPN instances and each OpenVPN server will use the same certs - one client can connect to any server.
The problem is that I don't want one client to connect to four different instances of OpenVPN with the same username/password at the same time. Therefore I must set up radius to work properly with OpenVPN so I can set up multi-connection limit (not only AUTH).It would be great to continue using pfsense on these servers.
Best regards,
Henry Parkon
-
Just incase anyony else has the issue with the missing pam.d plugin, try this:
setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/
pkg_add -r openvpnThe first step will change the URL for packages to be donloaded, the second reinstalls openvpn which includes the plugin. I hope that's of use to someone, I spent ages tearing my hair out over it! Works great now though, excellent guide.
-
Hi,
I've have problems getting the authenciation between the client and the Radius Server to work. I do not get a login prompt on the client side.
I've followed the instructions as per http://forum.pfsense.org/index.php/topic,4105.0.htmlI'm using pfsense 1.2.2.
OpenVPN GUI 1.0.3.
I've reinstalled openvpn using "pkg_add -r" and reinstalled FreeRadius.My radius server looks like its running and shows:
ps ax | grep radi
47602 ?? I 0:00.25 radiusd -s
39020 p0 R+ 0:00.00 grep radi
My client can connect without the "plugin" option in the OpenVPN server config page.my /etc/radius.conf file:
acct 192.168.100.1:1892 secret
auth 192.168.100.1:1892 secretand my /etc/pam.d/openvpn
auth required pam_radius.so debug=10
account suffient pam_permit.so
session suffient pam_permit.soThe errors in the openvpn.log are as follows:
Jul 29 14:25:54 gw openvpn[471]: XXX.XXX.XXX.XXX:64045 TLS Error: TLS handshake failed
Jul 29 14:25:54 gw openvpn[471]: 216.40.116.225:64045 Fatal TLS error (check_tls_errors_co), restarting
Jul 29 14:25:59 gw openvpn[471]: Re-using SSL/TLS context
Jul 29 14:25:59 gw openvpn[471]: TCP connection established with XXX.XXX.XXX.XXX:55929
Jul 29 14:25:59 gw openvpn[471]: TCPv4_SERVER link local: [undef]
Jul 29 14:25:59 gw openvpn[471]: TCPv4_SERVER link remote: XXX.XXX.XXX.XXX:55929
Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: Auth Username/Password was not provided by peer
Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: TLS handshake failed
Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 Fatal TLS error (check_tls_errors_co), restartingAny help is greatly appreciated. Thanks.
-
Hi uz, I'm having a problem exactly as yours:
–-------------- your log -------------------------
Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: Auth Username/Password was not provided by peer
Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: TLS handshake failed
Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 Fatal TLS error (check_tls_errors_co), restarting
–----------------------------------------Would you please let me know how you solve it. Thanks.
Also hope any one can give me some hint to solve it. Thanks.
-
Hi uz, I'm having a problem exactly as yours:
–-------------- your log -------------------------
Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: Auth Username/Password was not provided by peer
Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: TLS handshake failed
Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 Fatal TLS error (check_tls_errors_co), restarting
–----------------------------------------Would you please let me know how you solve it. Thanks.
Also hope any one can give me some hint to solve it. Thanks.
Add this parameter in your client config file (client.ovpn): auth-user-pass
TIPS: The file /etc/radius.conf need to have an empty line after the 2 lines acct and authHope it helps