Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Authentication fails after removing old domain controller

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 550 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pontush
      last edited by

      Hi all.

      We've decommissioned our old primary domain controller (.11) after replacing it with two new domain controllers(.37 and .32). When removing the old one authenticating through OpenVPN stopped working.
      In OpenVPN our new DC ("DC01") that is a RADIUS server is stated in the list of authentication servers and the old one has been removed. I've also checked that the DNS servers used by pfSense are the new servers.
      When doing a DNS lookup on DC01 pfSense cannot resolve the host name to an IP adress, regardless if I use the FQDN.

      Any ideas on how this can be resolved?

      Thanks in advance,

      Pontus

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        by fixing your dns server/entries on dc01 ?
        pfsense has very little todo with your windows-dns-server that is unable to resolve addresses .... or am i missing something?

        1 Reply Last reply Reply Quote 0
        • P
          pontush
          last edited by

          I might have been a bit unclear: It's when I do an DNS lookup within pfSense that the entry "DC01" cannot be resolved. It's like pfSense is not using the DNS server assigned to it.
          If relevant the error message in the OpenVPN part of the pfSense logs are the following:
          X.Y.Z.W:Q WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
          X.Y.Z.W:Q TLS Auth Error: Auth Username/Password verification failed for peer
          X.Y.Z.W:Q WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
          X.Y.Z.W:Q Peer Connection Initiated with [AF_INET] X.Y.Z.W:Q

          Thanks again,

          Pontus

          1 Reply Last reply Reply Quote 0
          • P
            pontush
            last edited by

            I also find this under Status / System Logs / System / DNS Resolver:
            using nameserver X.Y.Z.11#53 for domain qwerty.se

            .11 = the old DC that is out of the picture. This should be .37.
            Looking at Services / DNS Resolver / General Settings .37 is stated in domain override for qwerty.se (the internal domain).

            Pontus

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.