Can't access Radius server on LAN

remmy29

I initially set up OpenVPN listening on my WAN to authenticate against a Windows Radius server with a little help from https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory.  Everything was working flawlessly until I moved the radius server over to the LAN.  After I moved the server, I reconfigured the radius server to the local address of the radius server in System -> authentication servers on pfsense.  The firewall can ping the local radius server address (192.168.1.1).  The radius server is still configured to allow all traffic from pfsense wan interface (192.168.60.10) and successfully connects from the lan to the wan address in the configuration test. The firewalls on the windows radius server are completely disabled and pfsense rules for the lan and wan and vpn interface are set to allow all to all to attempt to troubleshoot.  Any idea what I could be missing?

The openVPN logs have connection established (outside ip), Fatal TLS error check, TLS error: TLS Handshake Failed, TLS Error: TLS Auth Error: Auth Username/Password verification failed to occur within 60 seconds (check network connectivity).

I have also reviewed the Radius server logs and it looks like PFSense isn't even hitting it.

I strongly suspect traffic to the Radius server is blocked, but can't quite figure out what else i need to do to enable it.  Anyone have any suggestions?

divsys

Any chance you could do up a little diagram so we're clear on where all the pieces (and all the subnets) fit into this puzzle?

The only thing that jumps out at me is the:

TLS Auth Error: Auth Username/Password verification failed to occur within 60 seconds (check network connectivity).

Which would lead me to believe you're missing/have misconfigured a password to authenticate your OpenVPN certificates.

Get us a little more info about your setup, and we'll see if we can't get you going ;)

remmy29

corp network
        |
        |
pfsense (192.168.60.10) WAN (additional fully external ip resolves to here)
        |
        |
pfsense lan interface (192168.1.1)
        |
        |
Windows radius server (192.168.1.10)

OpenVPN Config:
Server Mode: Remote Access (SSL/TLS + User Auth)
Backend for Authentication: RADIUS
Protocol: tcp
Device Mode: tun
Interface: WAN
Local Port: 443

System: Authentication Servers Settings:
Hostname or ip: 192.168.60.10
Shared Secret: pasted over from radius server
Auth Port: 1812
Accounting Port: 1813
Auth Timeout: 500

Before when I would manually enter a bad password it would show up in the radius server logs.  This time using wireshark, I can't detect that any traffic is even making it to radius.  I can verify with captures that it is reaching the openvpn server.  I think somehow openvpn can't reach the radius server and it is timing out and failing. Like I said I have all rules down trying to figure out why, any help is appreciated.  Pretty sure its something really simple I am just not seeing.

Also forgot to add, I didn't change anything about the NPS config from the working connection to the non-working connection.  Still have it set to receive requests from 192.168.60.10.

OpenVPN Log:
May 21 11:33:38

openvpn: user 'clarkdori' could not authenticate.

May 21 11:33:38

openvpn[52966]: 64.134.31.222:63010 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255

May 21 11:33:38

openvpn[52966]: 64.134.31.222:63010 TLS Auth Error: Auth Username/Password verification failed for peer

May 21 11:33:38

openvpn[52966]: 64.134.31.222:63010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

May 21 11:33:38

openvpn[52966]: 64.134.31.222:63010 TLS Error: TLS handshake failed

May 21 11:33:38

openvpn[52966]: 64.134.31.222:63010 Fatal TLS error (check_tls_errors_co), restarting

May 21 11:33:38

openvpn[52966]: TCP connection established with [AF_INET]64.134.31.222:63012

IPV4 Tunnel 192.168.2.0/24
IPV4 Local 192.168.1.0/24