OpenVPN + External RADIUS - Failed auth-user-pass-verify
-
Hi there:
Just set up pfSense 2.4.3-RELEASE-p1 for OpenVPN, using an external RADIUS server (freeRADIUS) and authenticating against AD.
Credentials are in the form of user@domain.com because the external RADIUS is acting as a proxy, forwarding requests to other RADIUS depending on domain suffix. The end RADIUS for which the realm is local is part of the windows domain (SAMBA) and authenticates against AD.OpenVPN server is configured for TLS+User Auth and I also generated the software package for the client using the utility included in pfSense.
The Auth is not working and OpenVPN server is throwing message:
WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
TLS Auth Error: Auth Username/Password verification failed for peerHowever the RADIUS server sends out an Access-Accept after verifying credentials against AD back to the proxyRADIUS who sends it back to pfSense.
If I test same but using Local Database instead, the authentication works and if I change OpenVPN mode to Remote (SSL/TLS) (no user crdentials, only client certificate validation) it works as well.
Content of /var/etc/openvpn/server1.conf:
dev ovpns1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-server
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.253.5
tls-server
server 10.254.0.0 255.255.0.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user QU5NUyBQT1hZIFJBRElVUw== false server1 8443" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.auroranetworks.net' 1"
lport 8443
management /var/etc/openvpn/server1.sock unix
push "redirect-gateway def1"
duplicate-cn
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-disable
topology net30Has anyone come across same error?
Thanks
Juan. -
Is the common name in the certificate exactly the same as the login name used in the RADIUS credentials?
-
Hi Derelict:
Thanks for the reply.No, it is not, and for my setup it shouldn't be.
Is there any way of disabling auth credentials to match CN in certificate?Thanks again
-
Yes. There is a checkbox for that in the server config.
Strict User-CN Matching
Enforce match When authenticating users, enforce a match between the common name of the client certificate and the username given at login. -
Just went back to my config and I had left that box unchecked, so it has to be something different….
-
Does RADIUS work in Diagnostics > Authentication?
-
That's a good one :-)
And this is getting interestingly weird….
Again the diagnostics says:
The following input errors were detected:
Authentication failed.
But I see the Access-Accept sent to pfSense:
(41) Login OK: [jromero@mycompany.com/<via auth-type="mschap">] (from client proxyRADIUS port 0)
(41) Sent Access-Accept Id 194 from 172.16.1.112:1812 to 172.16.1.202:41694 length 0
(41) MS-CHAP2-Success = 0x01533d45314644343531353731423543333133383539304237344136434332443531333232393743433834
(41) MS-MPPE-Recv-Key = 0x7ebecd0cf904ad380ad5308593290a4a
(41) MS-MPPE-Send-Key = 0xeed82017bcf8c371fd8e28604d716213
(41) MS-MPPE-Encryption-Policy = Encryption-Allowed
(41) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(41) Proxy-State = 0x313030
(41) Finished request
Waking up in 4.9 seconds.
(41) Cleaning up request packet ID 194 with timestamp +18248I even took a tcpdump on pfSense and the RADIUS message is hitting its WAN interface….
Thinking of trying a different pfSense version....</via>
-
Sorry. Don't know about all that microsoft crap.