Openvpn + freeradius - unable to log in into VPN



  • Hi. Today I did upgrade of my pfsense machine from 2.3.x to 2.4.2. and after this update, our openvpn + freeradius has stopped working. Any ideas why?

    I've tried with both present user login (both mOTP or plain text pass) or with creating NEW user credentials - result is the same - unable to log in into VPN.

    I've attached whole messages I got when running free radius in debug mode:
    /usr/local/etc/rc.d/radiusd debug

    Also, on dashboard, I've noticed under vpn there is always message when connecting:
    [error] Unable to contact daemon0 Service not running?

    Here is the output also from viscosity client connection log:

    vlj 07 1:53:07: State changed to Connecting
    vlj 07 1:53:07: Viscosity Windows 1.7.6 (1540)
    vlj 07 1:53:07: Running on Microsoft Windows 7 Ultimate
    vlj 07 1:53:07: Running on .NET Framework Version 4.5.51209.379893
    vlj 07 1:53:07: Bringing up interface…
    vlj 07 1:53:07: Checking reachability status of connection...
    vlj 07 1:53:07: Connection is reachable. Starting connection attempt.
    vlj 07 1:53:07: OpenVPN 2.4.4 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 19 2017
    vlj 07 1:53:07: library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.09
    vlj 07 1:53:33: WARNING: –ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
    vlj 07 1:53:33: TCP/UDP: Preserving recently used remote address: [AF_INET]HIDDENIP:1191
    vlj 07 1:53:33: Attempting to establish TCP connection with [AF_INET]HIDDENIP:1191 [nonblock]
    vlj 07 1:53:34: TCP connection established with [AF_INET]HIDDENIP:1191
    vlj 07 1:53:34: TCP_CLIENT link local (bound): [AF_INET][undef]:0
    vlj 07 1:53:34: TCP_CLIENT link remote: [AF_INET]HIDDENIP:1191
    vlj 07 1:53:34: State changed to Authenticating
    vlj 07 1:53:36: [vpn1_ssl_2017] Peer Connection Initiated with [AF_INET]HIDDENIP:1191
    vlj 07 1:53:37: State changed to Connecting
    vlj 07 1:53:37: AUTH: Received control message: AUTH_FAILED
    vlj 07 1:53:41: SIGUSR1[soft,auth-failure] received, process restarting
    vlj 07 1:53:41: State changed to Connecting
    vlj 07 1:53:42: State changed to Disconnecting
    vlj 07 1:53:42: ERROR: could not read Auth username

    Is there anything else needed?
    vpn_plain_text_pass_freeradius.txt
    vpn_motp_pass_freeradius.txt



  • Any ideas? None of clients are able to login to VPN, we've serious problems with this freeradius. As a temporary solution, we've switched to local database as backend for auth on VPN server.


  • Rebel Alliance Developer Netgate

    If you're using OTP, edit the RADIUS server entry under System > User Manager, Auth Servers tab and make sure it's set to PAP.

    EDIT: The log says PAP, but make sure the GUI matches. Also the log says the password has unprintable characters. Are you sure your client is sending the correct password?



  • It says PAP indeed, I've checked.

    Unprintable characters are also something that bothers me - because, password from OTP is 6 char generated and it contains only small/big letter and numbers, not a single special character.

    What I've noticed is that after 2.3.x upgrade to 2.4.x freeradius package was somehow gone - version 2 was used and it was no longer available in the package list. Instead, it was replaced by freeradius version 3 which I had to install - I guess something went wrong there? Shall I try to completely remove all freeradius users, their CAs and everything connected with that - and create them from scratch? But I'm not sure if that will work, since I tried to create completely two new users - one with OTP, one with cleartxt password and in both case, log in didn't work (as long as freeradius was authentication backend).


  • Rebel Alliance Developer Netgate

    FreeRADIUS 2.x had to be removed because it was no longer supported upstream, it was not in FreeBSD ports anymore, and it had known vulnerabilities. There was no easy way to have pfSense automatically remove 2.x and install 3.x. The configuration is practically identical though, the old settings should be fine.

    I haven't tried mOTP in a while but last time I used it on 2.4 it worked, I use the Google Authenticator OTP option more often and I know it's working fine.

    You might try uninstalling the FreeRADIUS package and then installing it again – don't use the reinstall option, and pay attention to any errors displayed during either the removal or installation step.



  • I'll try to completely remove all users, certs, freeradius and then try to install it from scratch. I will update you with results. Thanks for now.



  • Hi. Little update.

    I've deleted all users under freeradius, under user manager, all certs and package. After that I've installed everything back and I followed this:
    https://doc.pfsense.org/index.php/Using_OpenVPN_With_FreeRADIUS

    Although it's for freeradius 2, it seems like it's working for version 3 as well.

    Now, the trick was to use this option - as it says when you edit any user on freeradius:
    "The RADIUS NAS / Client must use PAP, otherwise the authenticator script cannot use the authentication data."

    After I changed protocol to PAP on AP radius, I was able to log in with mOTP. With MS-CHAPv2 (or any other) mOTP didn't work - it was throwing errors like:

    Mar 5 09:36:27 radiusd 36203 (0) Login incorrect (Failed retrieving values required to evaluate condition): [test-mislav/<via auth-type="mschap">] (from client OpenVPN port 1191)</via>

    Combination with MS-CHAPv2 + freeradius 3 + plain text password - that was working.

    Thanks for the help.



  • @mislav:

    I'll try to completely remove all users, certs, freeradius and then try to install it from scratch. I will update you with VPN results. Thanks for now.

    Hi, to remove the freeradius package and any other dependant package which are no longer needed you have to use this command "sudo apt-get remove –auto-remove freeradius"

    Reinstall it secondly  ;)


  • Rebel Alliance Developer Netgate

    @Censor:

    @mislav:

    I'll try to completely remove all users, certs, freeradius and then try to install it from scratch. I will update you with VPN results. Thanks for now.

    Hi, to remove the freeradius package and any other dependant package which are no longer needed you have to use this command "sudo apt-get remove –auto-remove freeradius"

    pfSense is not based on Linux and does not use apt. It uses FreeBSD and pkg.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy