Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't access Radius server on LAN

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      remmy29
      last edited by

      I initially set up OpenVPN listening on my WAN to authenticate against a Windows Radius server with a little help from https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory.  Everything was working flawlessly until I moved the radius server over to the LAN.  After I moved the server, I reconfigured the radius server to the local address of the radius server in System -> authentication servers on pfsense.  The firewall can ping the local radius server address (192.168.1.1).  The radius server is still configured to allow all traffic from pfsense wan interface (192.168.60.10) and successfully connects from the lan to the wan address in the configuration test. The firewalls on the windows radius server are completely disabled and pfsense rules for the lan and wan and vpn interface are set to allow all to all to attempt to troubleshoot.  Any idea what I could be missing?

      The openVPN logs have connection established (outside ip), Fatal TLS error check, TLS error: TLS Handshake Failed, TLS Error: TLS Auth Error: Auth Username/Password verification failed to occur within 60 seconds (check network connectivity).

      I have also reviewed the Radius server logs and it looks like PFSense isn't even hitting it.

      I strongly suspect traffic to the Radius server is blocked, but can't quite figure out what else i need to do to enable it.  Anyone have any suggestions?

      1 Reply Last reply Reply Quote 0
      • D
        divsys
        last edited by

        Any chance you could do up a little diagram so we're clear on where all the pieces (and all the subnets) fit into this puzzle?

        The only thing that jumps out at me is the:

        TLS Auth Error: Auth Username/Password verification failed to occur within 60 seconds (check network connectivity).

        Which would lead me to believe you're missing/have misconfigured a password to authenticate your OpenVPN certificates.

        Get us a little more info about your setup, and we'll see if we can't get you going ;)

        -jfp

        1 Reply Last reply Reply Quote 0
        • R
          remmy29
          last edited by

          corp network
                  |
                  |
          pfsense (192.168.60.10) WAN (additional fully external ip resolves to here)
                  |
                  |
          pfsense lan interface (192168.1.1)
                  |
                  |
          Windows radius server (192.168.1.10)

          OpenVPN Config:
          Server Mode: Remote Access (SSL/TLS + User Auth)
          Backend for Authentication: RADIUS
          Protocol: tcp
          Device Mode: tun
          Interface: WAN
          Local Port: 443

          System: Authentication Servers Settings:
          Hostname or ip: 192.168.60.10
          Shared Secret: pasted over from radius server
          Auth Port: 1812
          Accounting Port: 1813
          Auth Timeout: 500

          Before when I would manually enter a bad password it would show up in the radius server logs.  This time using wireshark, I can't detect that any traffic is even making it to radius.  I can verify with captures that it is reaching the openvpn server.  I think somehow openvpn can't reach the radius server and it is timing out and failing. Like I said I have all rules down trying to figure out why, any help is appreciated.  Pretty sure its something really simple I am just not seeing.

          Also forgot to add, I didn't change anything about the NPS config from the working connection to the non-working connection.  Still have it set to receive requests from 192.168.60.10.

          OpenVPN Log:
          May 21 11:33:38

          openvpn: user 'clarkdori' could not authenticate.

          May 21 11:33:38

          openvpn[52966]: 64.134.31.222:63010 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255

          May 21 11:33:38

          openvpn[52966]: 64.134.31.222:63010 TLS Auth Error: Auth Username/Password verification failed for peer

          May 21 11:33:38

          openvpn[52966]: 64.134.31.222:63010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

          May 21 11:33:38

          openvpn[52966]: 64.134.31.222:63010 TLS Error: TLS handshake failed

          May 21 11:33:38

          openvpn[52966]: 64.134.31.222:63010 Fatal TLS error (check_tls_errors_co), restarting

          May 21 11:33:38

          openvpn[52966]: TCP connection established with [AF_INET]64.134.31.222:63012

          IPV4 Tunnel 192.168.2.0/24
          IPV4 Local 192.168.1.0/24

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.