OpenVPN + AD: Authentication failed
-
Hi,
I'm trying to use Radius with Active Directory (Windows Server 2008 R2) but still openVPN is not working.Here we're using pfSense 2.0.3 and exported openVPN-client from pfsense. Authentication (Remote Access (SSL/TLS + User Auth)) is not working yet. But if I modify server mode to Remote Access (SSL/TLS) then everything is fine. There is syslog of pfSense:
Jul 10 14:14:23 openvpn[4327]: 192.168.1.44:1194 Re-using SSL/TLS context Jul 10 14:14:23 openvpn[4327]: 192.168.1.44:1194 LZO compression initialized Jul 10 14:14:24 openvpn: user f.erfurth could not authenticate. Jul 10 14:14:24 openvpn[4327]: 192.168.1.44:1194 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 255 Jul 10 14:14:24 openvpn[4327]: 192.168.1.44:1194 TLS Auth Error: Auth Username/Password verification failed for peer Jul 10 14:14:24 openvpn[4327]: 192.168.1.44:1194 [f.erfurth] Peer Connection Initiated with 192.168.1.44:1194So I see an error: "WARNING: Failed running command (โauth-user-pass-verify): external program exited with error status: 255"
Unfortunatelly I dunno why it went wrong and what does error status 255 mean? And what exactly is "external program"?This is my openVPN client configuration:
dev tun persist-tun persist-key cipher AES-128-CBC tls-client client resolv-retry infinite remote *******.*******.*** 1194 udp tls-remote ****.******.***** auth-user-pass auth-nocache pkcs12 **********.p12 tls-auth **********.key 1 comp-lzoI hope you can help me plz. Maybe a hint where to look in logs. I dunno where is logs for Radius (on windows side). :-O
Thank you in advance.
cu Floh -
Make sure you have used IP address, not FQDN for the RADIUS server.
-
I just set this up today, albeit on Server 2003, did you configure the Radius backend properly? Did you enable a remote connection profile in AD? Did you read the '08 Server Event Logs?
-
Look in the main system log on pfSense also. And try Diag > Authentication to see if you can authenticate there.
The server auth logs and a packet capture of the RADIUS login attempt would bot be helpful for you to look at.
Odds are it's an NPS config issue, or the account doesn't have Dial-In permission set.
-
i meet this problem now , openVPN auth by AD authentication occur same error!but radius was install on windows 2003 , that is successful!
now radius install on windows 2008 r2 authentication failed!
pfsense log:
openvpn[14866]: WARNING: Failed running command (โauth-user-pass-verify): external program exited with error status: 255
Apr 2 13:57:20 openvpn[14866]: TLS Auth Error: Auth Username/Password verification failed for peer
windows 2008 r2 log
Network Policy Server denied access to a user.Contact the Network Policy Server administrator for more information.
User:
Security ID: WONGS-SJ\Golden.Zhang
Account Name: golden.zhang
Account Domain: WONGS-SJ
Fully Qualified Account Name: wongs-sj.com/ShaJin/MIS/Zhang GoldenClient Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -NAS:
NAS IPv4 Address: 10.0.101.1
NAS IPv6 Address: -
NAS Identifier: backfw164.localdomain
NAS Port-Type: -
NAS Port: -RADIUS Client:
Client Friendly Name: VPN
Client IP Address: 142.2.70.164Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: VPN
Authentication Provider: Windows
Authentication Server:
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy. -
That's a very clear error message. Fix your network policy on the Windows server. It's a problem there, not a problem with pfSense.