OpenVPN + External RADIUS - Failed auth-user-pass-verify
Just set up pfSense 2.4.3-RELEASE-p1 for OpenVPN, using an external RADIUS server (freeRADIUS) and authenticating against AD.
Credentials are in the form of firstname.lastname@example.org because the external RADIUS is acting as a proxy, forwarding requests to other RADIUS depending on domain suffix. The end RADIUS for which the realm is local is part of the windows domain (SAMBA) and authenticates against AD.
OpenVPN server is configured for TLS+User Auth and I also generated the software package for the client using the utility included in pfSense.
The Auth is not working and OpenVPN server is throwing message:
WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
TLS Auth Error: Auth Username/Password verification failed for peer
However the RADIUS server sends out an Access-Accept after verifying credentials against AD back to the proxyRADIUS who sends it back to pfSense.
If I test same but using Local Database instead, the authentication works and if I change OpenVPN mode to Remote (SSL/TLS) (no user crdentials, only client certificate validation) it works as well.
Content of /var/etc/openvpn/server1.conf:
keepalive 10 60
server 10.254.0.0 255.255.0.0
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user QU5NUyBQT1hZIFJBRElVUw== false server1 8443" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.auroranetworks.net' 1"
management /var/etc/openvpn/server1.sock unix
push "redirect-gateway def1"
tls-auth /var/etc/openvpn/server1.tls-auth 0
Has anyone come across same error?
Is the common name in the certificate exactly the same as the login name used in the RADIUS credentials?
Thanks for the reply.
No, it is not, and for my setup it shouldn't be.
Is there any way of disabling auth credentials to match CN in certificate?
Yes. There is a checkbox for that in the server config.
Strict User-CN Matching
Enforce match When authenticating users, enforce a match between the common name of the client certificate and the username given at login.
Just went back to my config and I had left that box unchecked, so it has to be something different….
Does RADIUS work in Diagnostics > Authentication?
That's a good one :-)
And this is getting interestingly weird….
Again the diagnostics says:
The following input errors were detected:
But I see the Access-Accept sent to pfSense:
(41) Login OK: [email@example.com/<via auth-type="mschap">] (from client proxyRADIUS port 0)
(41) Sent Access-Accept Id 194 from 172.16.1.112:1812 to 172.16.1.202:41694 length 0
(41) MS-CHAP2-Success = 0x01533d45314644343531353731423543333133383539304237344136434332443531333232393743433834
(41) MS-MPPE-Recv-Key = 0x7ebecd0cf904ad380ad5308593290a4a
(41) MS-MPPE-Send-Key = 0xeed82017bcf8c371fd8e28604d716213
(41) MS-MPPE-Encryption-Policy = Encryption-Allowed
(41) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(41) Proxy-State = 0x313030
(41) Finished request
Waking up in 4.9 seconds.
(41) Cleaning up request packet ID 194 with timestamp +18248
I even took a tcpdump on pfSense and the RADIUS message is hitting its WAN interface….
Thinking of trying a different pfSense version....</via>
Sorry. Don't know about all that microsoft crap.