EAP-RADIUS with OpenVPN AND Mobile IPsec Problems



  • I updated this thread here:

    https://forum.pfsense.org/index.php?topic=122035.0

    However, I decided to make a new one as I think the heading for a new one is more relevant then the old one.  I'm unable to connect via Mobile IPsec.  I noticed that this occurs when I have both OpenVPN and Mobile IPsec using radius configured.  Even when I have one utilizing one radius server and the other, the second radius server, it still causes this error.

    Here are my logs:

    
    Apr 10 10:43:26	charon		12[IKE] <con1|2> received EAP identity 'user.name'
    Apr 10 10:31:17	charon		08[CFG] <con1|1> sending RADIUS Access-Request to server 'radius_ipsec_1'
    Apr 10 10:31:18	charon		12[MGR] ignoring request with ID 2, already processing
    Apr 10 10:31:19	charon		12[MGR] ignoring request with ID 2, already processing
    Apr 10 10:31:22	charon		12[MGR] ignoring request with ID 2, already processing
    Apr 10 10:31:30	charon		09[MGR] ignoring request with ID 2, already processing
    Apr 10 10:31:32	charon		08[CFG] <con1|1> retransmit 1 of RADIUS Access-Request (timeout: 2.8s)
    Apr 10 10:31:35	charon		08[CFG] <con1|1> retransmit 2 of RADIUS Access-Request (timeout: 3.9s)
    Apr 10 10:31:39	charon		08[CFG] <con1|1> retransmit 3 of RADIUS Access-Request (timeout: 5.5s)
    Apr 10 10:31:44	charon		08[CFG] <con1|1> RADIUS Access-Request timed out after 4 attempts
    Apr 10 10:31:44	charon		08[IKE] <con1|1> initiating EAP_RADIUS method failed
    Apr 10 10:31:44	charon		08[ENC] <con1|1> generating IKE_AUTH response 2 [ EAP/FAIL 
    [/code]
    
    I get this Windows message when connecting:
    
    [code]
    Verifying your sign-in info" followed by "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
    [/code]
    
    I even tried using Local Database authentication on the OpenVPN server connection.  It failed.  The only way to get IPsec with radius working is to disable the OpenVPN server.
    
    I can only assume that only one VPN configuration can use radius at a single time.  Are there any workarounds to this?</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|2>
    


  • OK, so additional information.  When I have the OpenVPN server disabled, I can perform user diagnostics again radius AND ldap and have it authenticate successfully.  As soon as I enable the OpenVPN server, these authentication diagnostics fail.  Only when I disable the OpenVPN server can I go back to performing diagnostics.  This may be something systemic to OpenVPN or authentication on pfsense in general.



  • OK, so I figured it out.  It was a configuration error on my part, but not with radius.  The problem was this setting in the OpenVPN server configuration:

    
    IPv4 Tunnel Network
    
    

    Essentially, I accidentally put in my internal network into this field instead of an unused subnet for VPN access.  I'm thinking this screwed up communication between OpenVPN/Pfsense to the radius server (Windows AD/NPS).  Basically, I could not get OpenVPN users to authentication over radius so I tested with the local database.  It worked.  I looked at the OpenVPN client and found that it was assigned an address that should be on the internal network, not a VPN address.  That is what lead me to re-review the settings and find the error.  Once adjusted, everything worked.  I can also authenticate to both OpenVPN and Mobile IPsec via radius with both running at the same time.

    I hope this helps someone else.


Log in to reply