OpenVPN + External RADIUS - Failed auth-user-pass-verify



  • Hi there:

    Just set up pfSense 2.4.3-RELEASE-p1 for OpenVPN, using an external RADIUS server (freeRADIUS) and authenticating against AD.
    Credentials are in the form of user@domain.com because the external RADIUS is acting as a proxy, forwarding requests to other RADIUS depending on domain suffix. The end RADIUS for which the realm is local is part of the windows domain (SAMBA) and authenticates against AD.

    OpenVPN server is configured for TLS+User Auth and I also generated the software package for the client using the utility included in pfSense.

    The Auth is not working and OpenVPN server is throwing message:

    WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
    TLS Auth Error: Auth Username/Password verification failed for peer

    However the RADIUS server sends out an Access-Accept after verifying credentials against AD back to the proxyRADIUS who sends it back to pfSense.

    If I test same but using Local Database instead, the authentication works and if I change OpenVPN mode to Remote (SSL/TLS) (no user crdentials, only client certificate validation) it works as well.

    Content of /var/etc/openvpn/server1.conf:

    dev ovpns1
    verb 3
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp4-server
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 192.168.253.5
    tls-server
    server 10.254.0.0 255.255.0.0
    client-config-dir /var/etc/openvpn-csc/server1
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user QU5NUyBQT1hZIFJBRElVUw== false server1 8443" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.auroranetworks.net' 1"
    lport 8443
    management /var/etc/openvpn/server1.sock unix
    push "redirect-gateway def1"
    duplicate-cn
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    ncp-disable
    topology net30

    Has anyone come across same error?
    Thanks
    Juan.


  • Netgate

    Is the common name in the certificate exactly the same as the login name used in the RADIUS credentials?



  • Hi Derelict:
    Thanks for the reply.

    No, it is not, and for my setup it shouldn't be.
    Is there any way of disabling auth credentials to match CN in certificate?

    Thanks again


  • Netgate

    Yes. There is a checkbox for that in the server config.

    Strict User-CN Matching
    Enforce match When authenticating users, enforce a match between the common name of the client certificate and the username given at login.



  • Just went back to my config and I had left that box unchecked, so it has to be something different….


  • Netgate

    Does RADIUS work in Diagnostics > Authentication?



  • That's a good one :-)

    And this is getting interestingly weird….

    Again the diagnostics says:

    The following input errors were detected:

    Authentication failed.

    But I see the Access-Accept sent to pfSense:

    (41) Login OK: [jromero@mycompany.com/<via auth-type="mschap">] (from client proxyRADIUS port 0)
    (41) Sent Access-Accept Id 194 from 172.16.1.112:1812 to 172.16.1.202:41694 length 0
    (41)  MS-CHAP2-Success = 0x01533d45314644343531353731423543333133383539304237344136434332443531333232393743433834
    (41)  MS-MPPE-Recv-Key = 0x7ebecd0cf904ad380ad5308593290a4a
    (41)  MS-MPPE-Send-Key = 0xeed82017bcf8c371fd8e28604d716213
    (41)  MS-MPPE-Encryption-Policy = Encryption-Allowed
    (41)  MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
    (41)  Proxy-State = 0x313030
    (41) Finished request
    Waking up in 4.9 seconds.
    (41) Cleaning up request packet ID 194 with timestamp +18248

    I even took a tcpdump on pfSense and the RADIUS message is hitting its WAN interface….

    Thinking of trying a different pfSense version....</via>


  • Netgate

    Sorry. Don't know about all that microsoft crap.