OpenVPN + AD: Authentication failed



  • Hi,
    I'm trying to use Radius with Active Directory (Windows Server 2008 R2) but still openVPN is not working.

    Here we're using pfSense 2.0.3 and exported openVPN-client from pfsense. Authentication (Remote Access (SSL/TLS + User Auth)) is not working yet. But if I modify server mode to Remote Access (SSL/TLS) then everything is fine. There is syslog of pfSense:

    
    Jul 10 14:14:23 	openvpn[4327]: 192.168.1.44:1194 Re-using SSL/TLS context
    Jul 10 14:14:23 	openvpn[4327]: 192.168.1.44:1194 LZO compression initialized
    Jul 10 14:14:24 	openvpn: user f.erfurth could not authenticate.
    Jul 10 14:14:24 	openvpn[4327]: 192.168.1.44:1194 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 255
    Jul 10 14:14:24 	openvpn[4327]: 192.168.1.44:1194 TLS Auth Error: Auth Username/Password verification failed for peer
    Jul 10 14:14:24 	openvpn[4327]: 192.168.1.44:1194 [f.erfurth] Peer Connection Initiated with 192.168.1.44:1194
    

    So I see an error: "WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255"
    Unfortunatelly I dunno why it went wrong and what does error status 255 mean? And what exactly is "external program"?

    This is my openVPN client configuration:

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    tls-client
    client
    resolv-retry infinite
    remote *******.*******.*** 1194 udp
    tls-remote ****.******.*****
    auth-user-pass
    auth-nocache
    pkcs12 **********.p12
    tls-auth **********.key 1
    comp-lzo
    

    I hope you can help me plz. Maybe a hint where to look in logs. I dunno where is logs for Radius (on windows side). :-O

    Thank you in advance.
    cu Floh


  • Banned

    Make sure you have used IP address, not FQDN for the RADIUS server.



  • I just set this up today, albeit on Server 2003, did you configure the Radius backend properly?  Did you enable a remote connection profile in AD?  Did you read the '08 Server Event Logs?


  • Rebel Alliance Developer Netgate

    Look in the main system log on pfSense also. And try Diag > Authentication to see if you can authenticate there.

    The server auth logs and a packet capture of the RADIUS login attempt would bot be helpful for you to look at.

    Odds are it's an NPS config issue, or the account doesn't have Dial-In permission set.



  • i meet this problem now , openVPN auth by AD authentication occur same error!but radius was install on windows 2003 , that is successful!
    now radius install on windows 2008 r2 authentication failed!
    pfsense log:
    openvpn[14866]:  WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255
    Apr 2 13:57:20 openvpn[14866]:  TLS Auth Error: Auth Username/Password verification failed for peer
    windows 2008 r2 log
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: WONGS-SJ\Golden.Zhang
    Account Name: golden.zhang
    Account Domain: WONGS-SJ
    Fully Qualified Account Name: wongs-sj.com/ShaJin/MIS/Zhang Golden

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: -
    Calling Station Identifier: -

    NAS:
    NAS IPv4 Address: 10.0.101.1
    NAS IPv6 Address: -
    NAS Identifier: backfw164.localdomain
    NAS Port-Type: -
    NAS Port: -

    RADIUS Client:
    Client Friendly Name: VPN
    Client IP Address: 142.2.70.164

    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: VPN
    Authentication Provider: Windows
    Authentication Server:
    Authentication Type: PAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 66
    Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.


  • Rebel Alliance Developer Netgate

    That's a very clear error message. Fix your network policy on the Windows server. It's a problem there, not a problem with pfSense.


Log in to reply