Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    EAP-RADIUS with OpenVPN AND Mobile IPsec Problems

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      datdamnmachine
      last edited by

      I updated this thread here:

      https://forum.pfsense.org/index.php?topic=122035.0

      However, I decided to make a new one as I think the heading for a new one is more relevant then the old one.  I'm unable to connect via Mobile IPsec.  I noticed that this occurs when I have both OpenVPN and Mobile IPsec using radius configured.  Even when I have one utilizing one radius server and the other, the second radius server, it still causes this error.

      Here are my logs:

      
      Apr 10 10:43:26	charon		12[IKE] <con1|2> received EAP identity 'user.name'
      Apr 10 10:31:17	charon		08[CFG] <con1|1> sending RADIUS Access-Request to server 'radius_ipsec_1'
      Apr 10 10:31:18	charon		12[MGR] ignoring request with ID 2, already processing
      Apr 10 10:31:19	charon		12[MGR] ignoring request with ID 2, already processing
      Apr 10 10:31:22	charon		12[MGR] ignoring request with ID 2, already processing
      Apr 10 10:31:30	charon		09[MGR] ignoring request with ID 2, already processing
      Apr 10 10:31:32	charon		08[CFG] <con1|1> retransmit 1 of RADIUS Access-Request (timeout: 2.8s)
      Apr 10 10:31:35	charon		08[CFG] <con1|1> retransmit 2 of RADIUS Access-Request (timeout: 3.9s)
      Apr 10 10:31:39	charon		08[CFG] <con1|1> retransmit 3 of RADIUS Access-Request (timeout: 5.5s)
      Apr 10 10:31:44	charon		08[CFG] <con1|1> RADIUS Access-Request timed out after 4 attempts
      Apr 10 10:31:44	charon		08[IKE] <con1|1> initiating EAP_RADIUS method failed
      Apr 10 10:31:44	charon		08[ENC] <con1|1> generating IKE_AUTH response 2 [ EAP/FAIL 
      [/code]
      
      I get this Windows message when connecting:
      
      [code]
      Verifying your sign-in info" followed by "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
      [/code]
      
      I even tried using Local Database authentication on the OpenVPN server connection.  It failed.  The only way to get IPsec with radius working is to disable the OpenVPN server.
      
      I can only assume that only one VPN configuration can use radius at a single time.  Are there any workarounds to this?</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|2>
      
      1 Reply Last reply Reply Quote 0
      • D
        datdamnmachine
        last edited by

        OK, so additional information.  When I have the OpenVPN server disabled, I can perform user diagnostics again radius AND ldap and have it authenticate successfully.  As soon as I enable the OpenVPN server, these authentication diagnostics fail.  Only when I disable the OpenVPN server can I go back to performing diagnostics.  This may be something systemic to OpenVPN or authentication on pfsense in general.

        1 Reply Last reply Reply Quote 0
        • D
          datdamnmachine
          last edited by

          OK, so I figured it out.  It was a configuration error on my part, but not with radius.  The problem was this setting in the OpenVPN server configuration:

          
          IPv4 Tunnel Network
          
          

          Essentially, I accidentally put in my internal network into this field instead of an unused subnet for VPN access.  I'm thinking this screwed up communication between OpenVPN/Pfsense to the radius server (Windows AD/NPS).  Basically, I could not get OpenVPN users to authentication over radius so I tested with the local database.  It worked.  I looked at the OpenVPN client and found that it was assigned an address that should be on the internal network, not a VPN address.  That is what lead me to re-review the settings and find the error.  Once adjusted, everything worked.  I can also authenticate to both OpenVPN and Mobile IPsec via radius with both running at the same time.

          I hope this helps someone else.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.