OpenVPN + AD: Authentication failed
Floh last edited by
I'm trying to use Radius with Active Directory (Windows Server 2008 R2) but still openVPN is not working.
Here we're using pfSense 2.0.3 and exported openVPN-client from pfsense. Authentication (Remote Access (SSL/TLS + User Auth)) is not working yet. But if I modify server mode to Remote Access (SSL/TLS) then everything is fine. There is syslog of pfSense:
Jul 10 14:14:23 openvpn: 192.168.1.44:1194 Re-using SSL/TLS context Jul 10 14:14:23 openvpn: 192.168.1.44:1194 LZO compression initialized Jul 10 14:14:24 openvpn: user f.erfurth could not authenticate. Jul 10 14:14:24 openvpn: 192.168.1.44:1194 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 255 Jul 10 14:14:24 openvpn: 192.168.1.44:1194 TLS Auth Error: Auth Username/Password verification failed for peer Jul 10 14:14:24 openvpn: 192.168.1.44:1194 [f.erfurth] Peer Connection Initiated with 192.168.1.44:1194
So I see an error: "WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255"
Unfortunatelly I dunno why it went wrong and what does error status 255 mean? And what exactly is "external program"?
This is my openVPN client configuration:
dev tun persist-tun persist-key cipher AES-128-CBC tls-client client resolv-retry infinite remote *******.*******.*** 1194 udp tls-remote ****.******.***** auth-user-pass auth-nocache pkcs12 **********.p12 tls-auth **********.key 1 comp-lzo
I hope you can help me plz. Maybe a hint where to look in logs. I dunno where is logs for Radius (on windows side). :-O
Thank you in advance.
doktornotor Banned last edited by
Make sure you have used IP address, not FQDN for the RADIUS server.
tbrummell last edited by
I just set this up today, albeit on Server 2003, did you configure the Radius backend properly? Did you enable a remote connection profile in AD? Did you read the '08 Server Event Logs?
Look in the main system log on pfSense also. And try Diag > Authentication to see if you can authenticate there.
The server auth logs and a packet capture of the RADIUS login attempt would bot be helpful for you to look at.
Odds are it's an NPS config issue, or the account doesn't have Dial-In permission set.
golden.zhang last edited by
i meet this problem now , openVPN auth by AD authentication occur same error!but radius was install on windows 2003 , that is successful!
now radius install on windows 2008 r2 authentication failed!
openvpn: WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255
Apr 2 13:57:20 openvpn: TLS Auth Error: Auth Username/Password verification failed for peer
windows 2008 r2 log
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
Security ID: WONGS-SJ\Golden.Zhang
Account Name: golden.zhang
Account Domain: WONGS-SJ
Fully Qualified Account Name: wongs-sj.com/ShaJin/MIS/Zhang Golden
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: -
NAS IPv4 Address: 10.0.101.1
NAS IPv6 Address: -
NAS Identifier: backfw164.localdomain
NAS Port-Type: -
NAS Port: -
Client Friendly Name: VPN
Client IP Address: 188.8.131.52
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: VPN
Authentication Provider: Windows
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
That's a very clear error message. Fix your network policy on the Windows server. It's a problem there, not a problem with pfSense.