Usernames containing a dot (.) with OpenVPN RADIUS AD
-
I have followed the tutorial for setting up OpenVPN with RADIUS and Active Directory:
http://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory
My problem is that the part that explains how to create a user account by creating a certificate says that the descriptive name and common name should be set to the same username the user has in active directory… but the usernames contain a period, e.g. ben.golden. When I try to submit the form to create the certificate I get: The field 'Descriptive name' contains invalid characters.
How can I create a certificate with the correct username?
-
The descriptive name is just cosmetic, I'm not sure why that's restricted.
The common name can contain ., and that's the only one that really matters for matching the username.
-
I just checked in a fix so it will ignore '.' (and other characters) in the description for future releases.
-
Since posting that I found the php script that does the validation, and edited it myself… and it allowed me to add the certificate with the correct username!
I still can't get OpenVPN to work though, after many hours of trying... I've just about given up :(
I followed the how-to to the letter... but this is what I get in the logs. Any ideas?
Jun 12 11:15:44 openvpn[59902]: event_wait : Interrupted system call (code=4)
Jun 12 11:15:44 openvpn[59902]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.3.1 192.168.3.2 init
Jun 12 11:15:44 openvpn[59902]: SIGTERM[hard,] received, process exiting
Jun 12 11:15:45 openvpn[12538]: OpenVPN 2.2.2 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] built on Apr 2 2013
Jun 12 11:15:45 openvpn[12538]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 12 11:15:45 openvpn[12538]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Jun 12 11:15:45 openvpn[12538]: TUN/TAP device /dev/tun1 opened
Jun 12 11:15:45 openvpn[12538]: /sbin/ifconfig ovpns1 192.168.3.1 192.168.3.2 mtu 1500 netmask 255.255.255.255 up
Jun 12 11:15:45 openvpn[12538]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.3.1 192.168.3.2 init
Jun 12 11:15:46 openvpn[13942]: UDPv4 link local (bound): 10.0.5.2:1194
Jun 12 11:15:46 openvpn[13942]: UDPv4 link remote: [undef]
Jun 12 11:15:46 openvpn[13942]: Initialization Sequence Completed
Jun 12 11:16:30 openvpn[13942]: 31.91.146.30:40706 Re-using SSL/TLS context
Jun 12 11:16:30 openvpn[13942]: 31.91.146.30:40706 LZO compression initialized
Jun 12 11:16:32 openvpn[13942]: 31.91.146.30:40706 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /CN=ben.golden@maskeddomain.com
Jun 12 11:16:32 openvpn[13942]: 31.91.146.30:40706 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jun 12 11:16:32 openvpn[13942]: 31.91.146.30:40706 TLS Error: TLS object -> incoming plaintext read error
Jun 12 11:16:32 openvpn[13942]: 31.91.146.30:40706 TLS Error: TLS handshake failed -
That looks like a certificate verification error, so something in the CA/Cert doesn't match or isn't right between the client and server, or it's invalid in some other way.