Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN + External RADIUS - Failed auth-user-pass-verify

    OpenVPN
    2
    8
    1226
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      juaromu last edited by

      Hi there:

      Just set up pfSense 2.4.3-RELEASE-p1 for OpenVPN, using an external RADIUS server (freeRADIUS) and authenticating against AD.
      Credentials are in the form of user@domain.com because the external RADIUS is acting as a proxy, forwarding requests to other RADIUS depending on domain suffix. The end RADIUS for which the realm is local is part of the windows domain (SAMBA) and authenticates against AD.

      OpenVPN server is configured for TLS+User Auth and I also generated the software package for the client using the utility included in pfSense.

      The Auth is not working and OpenVPN server is throwing message:

      WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
      TLS Auth Error: Auth Username/Password verification failed for peer

      However the RADIUS server sends out an Access-Accept after verifying credentials against AD back to the proxyRADIUS who sends it back to pfSense.

      If I test same but using Local Database instead, the authentication works and if I change OpenVPN mode to Remote (SSL/TLS) (no user crdentials, only client certificate validation) it works as well.

      Content of /var/etc/openvpn/server1.conf:

      dev ovpns1
      verb 3
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto tcp4-server
      cipher AES-128-CBC
      auth SHA1
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      client-connect /usr/local/sbin/openvpn.attributes.sh
      client-disconnect /usr/local/sbin/openvpn.attributes.sh
      local 192.168.253.5
      tls-server
      server 10.254.0.0 255.255.0.0
      client-config-dir /var/etc/openvpn-csc/server1
      username-as-common-name
      auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user QU5NUyBQT1hZIFJBRElVUw== false server1 8443" via-env
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.auroranetworks.net' 1"
      lport 8443
      management /var/etc/openvpn/server1.sock unix
      push "redirect-gateway def1"
      duplicate-cn
      ca /var/etc/openvpn/server1.ca
      cert /var/etc/openvpn/server1.cert
      key /var/etc/openvpn/server1.key
      dh /etc/dh-parameters.2048
      tls-auth /var/etc/openvpn/server1.tls-auth 0
      ncp-disable
      topology net30

      Has anyone come across same error?
      Thanks
      Juan.

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Is the common name in the certificate exactly the same as the login name used in the RADIUS credentials?

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          juaromu last edited by

          Hi Derelict:
          Thanks for the reply.

          No, it is not, and for my setup it shouldn't be.
          Is there any way of disabling auth credentials to match CN in certificate?

          Thanks again

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Yes. There is a checkbox for that in the server config.

            Strict User-CN Matching
            Enforce match When authenticating users, enforce a match between the common name of the client certificate and the username given at login.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              juaromu last edited by

              Just went back to my config and I had left that box unchecked, so it has to be something different….

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Does RADIUS work in Diagnostics > Authentication?

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • J
                  juaromu last edited by

                  That's a good one :-)

                  And this is getting interestingly weird….

                  Again the diagnostics says:

                  The following input errors were detected:

                  Authentication failed.

                  But I see the Access-Accept sent to pfSense:

                  (41) Login OK: [jromero@mycompany.com/<via auth-type="mschap">] (from client proxyRADIUS port 0)
                  (41) Sent Access-Accept Id 194 from 172.16.1.112:1812 to 172.16.1.202:41694 length 0
                  (41)  MS-CHAP2-Success = 0x01533d45314644343531353731423543333133383539304237344136434332443531333232393743433834
                  (41)  MS-MPPE-Recv-Key = 0x7ebecd0cf904ad380ad5308593290a4a
                  (41)  MS-MPPE-Send-Key = 0xeed82017bcf8c371fd8e28604d716213
                  (41)  MS-MPPE-Encryption-Policy = Encryption-Allowed
                  (41)  MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
                  (41)  Proxy-State = 0x313030
                  (41) Finished request
                  Waking up in 4.9 seconds.
                  (41) Cleaning up request packet ID 194 with timestamp +18248

                  I even took a tcpdump on pfSense and the RADIUS message is hitting its WAN interface….

                  Thinking of trying a different pfSense version....</via>

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    Sorry. Don't know about all that microsoft crap.

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post