OpenVPN+Win2012 NAP Radius working great but client doesn't get ip address



  • Hi,

    I am running the new Pfsense 2.1. In the previous version OpenVPN and Radius were working fine but now i have a problem.

    I've looked everywhere,  lurking around this website and Google in hope to find an answer but i am stuck with this issue.

    My OpenVpn server works great with Local Database but if i put to log in on Radius it logs perfect but the client gets no ip address and returns an error

    Client log error

    Fri Sep 20 21:43:46 2013 TAP-WIN32 device [VPN] opened: \.\Global{5C54D42C-C556-4CB8-8860-33A0A3454886}.tap
    Fri Sep 20 21:43:46 2013 Set TAP-Windows TUN subnet mode network/local/netmask = 255.255.255.254/255.255.255.254/255.255.255.255 [SUCCEEDED]
    Fri Sep 20 21:43:46 2013 ERROR: –ip-win32 dynamic [offset] : offset is outside of –ifconfig subnet

    Server log error

    Sep 20 21:43:46 pfSense openvpn: user 'Fe' authenticated
    Sep 20 21:43:46 pfSense openvpn[1634]: 192.168.1.12:1194 [Fe] Peer Connection Initiated with [AF_INET]192.168.1.12:1194
    Sep 20 21:43:46 pfSense openvpn[1634]: Fe/192.168.1.12:1194 MULTI_sva: pool returned IPv4=192.168.0.2, IPv6=(Not enabled)
    Sep 20 21:43:46 pfSense openvpn[1634]: Fe/192.168.1.12:1194 Options error: option 'topology' cannot be used in this context (/tmp/openvpn_cc_338dc5c61c1ebf7f4ade29c7224e1ae1.tmp)
    Sep 20 21:43:46 pfSense openvpn[1634]: Fe/192.168.1.12:1194 MULTI ERROR: primary virtual IP for Fe/192.168.1.12:1194 (255.255.255.254) violates tunnel network/netmask constraint (192.168.0.0/255.255.255.0)
    Sep 20 21:43:49 pfSense openvpn[1634]: Fe/192.168.1.12:1194 send_push_reply(): safe_cap=940
    Sep 20 21:45:49 pfSense openvpn[1634]: Fe/192.168.1.12:1194 [Fe] Inactivity timeout (–ping-restart), restarting
    Radius is working, i believe its something wrong with the php files or something.

    I've tried everything for 3 long days, reinstall, you name it. I am starting to believe its a bug.

    I can post more information if necessary.

    Can someone help?

    Thanks.

    P



  • Still UP.

    Any ideas guys? Another curious thing is that he is giving and IP that in fact is a Subnet mask. DHCP-Serv shows 0.0.0.0. I've tried push "ip-win32 netsh" Push "ip-win32 dynamic 0 3600" and the error always persist. Sometimes i get a different error (don't remember now but i can look if necessary but never a valid IP address. Again, if i put to authenticate in local database it works fine. If searched the php config files that it used on radius authentication and I think is something wrong there in my humble opinion, i don't know anything about php programming but i have some knowledge in C/shell.
    I am with no worry. Just want to exchange some ideas why this is happening.

    Thanks again



  • Guys, let me know if there is a post equal or similar to this one, i didn't find any. Thanks again



  • Hello, Im planning on setting up this kind of setup later this week. I can come back to you if I have any experience that I think can be of any help.

    /erik



  • Thank you very much for your reply Eric.
    The best solution that I found is to rollback to 2.0.3.
    Everything works but Its unacceptable.
    I'm eager to see your progress.

    P



  • I had the same errors in a different enviroment. I found the same solution. Only thing that worked was a rollback to 2.0.3 :-\



  • Yo, I did a test with 2.1-RELEASE  (amd64) and Windows Server 2012(Not R2) set up as AD,DNS and NAP. I followed the instructions on this site:

    https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

    I followed all the topics in the guide up to "Change the cryptoapicert SUBJ " I did not do this step or any step following it(if you dont cound connecting the client to the server). I used my own names and IP adresses etc and I ignored any setting that was new for version 2.1.

    I shared a folder on my Windows Server 2012 and was able to access it with my testaccount from a Windows 7 Enterprise 64-bit using the exported OpenVPN client.

    Do you know if radius still only support unencrypted(PAP) communication with the NAP server? Using Captive Portal and NAP you can select at least MS-CHAPv2. I know this isnt entierly secure ether but hey, better than nothing I think.

    Im new to using OpenVPN and I tried this in a virtual test environment. Im gonna play around with the settings to see what happens and see if Im able to do this without having to manually create certs for each user in pfsense. Anyway, hope this  helps and let me know of your progress!  :)

    /erik


Log in to reply