User 'XXX' could not authenticate every 1 hour.
-
I have a number of users that recently need to work from home via OpenVPN to the office. However, they report that every one hour they have to authenticate again. I am using FreeRadius package with Google Authenticator.
When I look at the OpenVPN log, almost every hour, there were:
user 'XXXX' could not authenticate.
XXXX/119.247.xxx.xxx:1194 TLS Error: local/remote TLS keys are out of sync
XXXX/119.247.xxx.xxx:1194 [XXXX] Inactivity timeout (--ping-restart), restartingThen users have to re-authenticate again.
I could not find any setting in OpenVPN that are related to this 3600 sec interval. In the user setting in FreeRadius, there was a SESSION TIMEOUT parameter that I have left blank.
Where in pfSense can I get rid of this disturbing timeout?
-
@bchan said in User 'XXX' could not authenticate every 1 hour.:
TLS Error: local/remote TLS keys are out of sync
advanced configuration / custom option
"reneg-sec 36000" in server
"reneg-sec 0" in client
-
@kiokoman said in User 'XXX' could not authenticate every 1 hour.:
"reneg-sec 36000"
Thank you for your response.
When I put "reneg-sec 36000" in the custom option for OpenVPN (server), the server cannot start with this error:
Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/server2.conf:40: reneg-sec 36000 (2.4.6) ?
Furthermore, I noticed that before the "XXXX could not authenticate", there was an entry in the system log saying:
googleauth.py freeRADIUS: Google Authenticator - Authentication failed. User: XXXXX, Reason: wrong tokencodeIt seems that the problem laid in the freeRADIUS as it tried to call the googleauth.py with old OTP every 3600 sec.
-
without quotes
reference
https://forum.netgate.com/topic/113174/tls-error-local-remote-tls-keys-are-out-of-sync
https://forum.pfsense.org/index.php?topic=127601.0
-
@kiokoman Oh my bad!
I am trying this out....
-
@kiokoman It works. Thanks
