Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN + External RADIUS - Failed auth-user-pass-verify

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      juaromu
      last edited by

      Hi there:

      Just set up pfSense 2.4.3-RELEASE-p1 for OpenVPN, using an external RADIUS server (freeRADIUS) and authenticating against AD.
      Credentials are in the form of user@domain.com because the external RADIUS is acting as a proxy, forwarding requests to other RADIUS depending on domain suffix. The end RADIUS for which the realm is local is part of the windows domain (SAMBA) and authenticates against AD.

      OpenVPN server is configured for TLS+User Auth and I also generated the software package for the client using the utility included in pfSense.

      The Auth is not working and OpenVPN server is throwing message:

      WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
      TLS Auth Error: Auth Username/Password verification failed for peer

      However the RADIUS server sends out an Access-Accept after verifying credentials against AD back to the proxyRADIUS who sends it back to pfSense.

      If I test same but using Local Database instead, the authentication works and if I change OpenVPN mode to Remote (SSL/TLS) (no user crdentials, only client certificate validation) it works as well.

      Content of /var/etc/openvpn/server1.conf:

      dev ovpns1
      verb 3
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto tcp4-server
      cipher AES-128-CBC
      auth SHA1
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      client-connect /usr/local/sbin/openvpn.attributes.sh
      client-disconnect /usr/local/sbin/openvpn.attributes.sh
      local 192.168.253.5
      tls-server
      server 10.254.0.0 255.255.0.0
      client-config-dir /var/etc/openvpn-csc/server1
      username-as-common-name
      auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user QU5NUyBQT1hZIFJBRElVUw== false server1 8443" via-env
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.auroranetworks.net' 1"
      lport 8443
      management /var/etc/openvpn/server1.sock unix
      push "redirect-gateway def1"
      duplicate-cn
      ca /var/etc/openvpn/server1.ca
      cert /var/etc/openvpn/server1.cert
      key /var/etc/openvpn/server1.key
      dh /etc/dh-parameters.2048
      tls-auth /var/etc/openvpn/server1.tls-auth 0
      ncp-disable
      topology net30

      Has anyone come across same error?
      Thanks
      Juan.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Is the common name in the certificate exactly the same as the login name used in the RADIUS credentials?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J Offline
          juaromu
          last edited by

          Hi Derelict:
          Thanks for the reply.

          No, it is not, and for my setup it shouldn't be.
          Is there any way of disabling auth credentials to match CN in certificate?

          Thanks again

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Yes. There is a checkbox for that in the server config.

            Strict User-CN Matching
            Enforce match When authenticating users, enforce a match between the common name of the client certificate and the username given at login.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J Offline
              juaromu
              last edited by

              Just went back to my config and I had left that box unchecked, so it has to be something different….

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Does RADIUS work in Diagnostics > Authentication?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • J Offline
                  juaromu
                  last edited by

                  That's a good one :-)

                  And this is getting interestingly weird….

                  Again the diagnostics says:

                  The following input errors were detected:

                  Authentication failed.

                  But I see the Access-Accept sent to pfSense:

                  (41) Login OK: [jromero@mycompany.com/<via auth-type="mschap">] (from client proxyRADIUS port 0)
                  (41) Sent Access-Accept Id 194 from 172.16.1.112:1812 to 172.16.1.202:41694 length 0
                  (41)  MS-CHAP2-Success = 0x01533d45314644343531353731423543333133383539304237344136434332443531333232393743433834
                  (41)  MS-MPPE-Recv-Key = 0x7ebecd0cf904ad380ad5308593290a4a
                  (41)  MS-MPPE-Send-Key = 0xeed82017bcf8c371fd8e28604d716213
                  (41)  MS-MPPE-Encryption-Policy = Encryption-Allowed
                  (41)  MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
                  (41)  Proxy-State = 0x313030
                  (41) Finished request
                  Waking up in 4.9 seconds.
                  (41) Cleaning up request packet ID 194 with timestamp +18248

                  I even took a tcpdump on pfSense and the RADIUS message is hitting its WAN interface….

                  Thinking of trying a different pfSense version....</via>

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    Sorry. Don't know about all that microsoft crap.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.