Using Radius for accounting only, Ldap for authentication (using Radiusplugin ?)
-
Hi
I am new to pfSense and also in OpenVPN.My current working setup is:
-
OpenVPN server (in a linux machine)
-
ldap user authentication with openvpn-ldap-plugin https://code.google.com/p/openvpn-auth-ldap/
-
RADIUS accounting with OpenVPN - Radiusplugin http://www.nongnu.org/radiusplugin/
I am moving this setup in pfSense to benefit it's capabilities.
equally I am using:-
OpenVPN through the wizard
-
my ldap server in "Backend for authentication" field, having already configured it as Authentication Server in "System > User manager"
my next step is to use something like Radiusplugin, so I can report accounting information to the Radius server (accounting only and not authentication).
Since pfSense is not linux I have the options to :-
compile Radiusplugin in FreeBSD and use it in pfSense (if success)
-
configure my Radius in pfSense, but use it in openvpn configuration for accounting only and along with ldap backend (for auth as already working)
-
-
Well… I just found this feature request:
- Radius Accounting in OpenVPN https://redmine.pfsense.org/issues/1434
since it's last update was a year ago… does this mean that what I am asking is not implemented yet ?
any news in this directions ?thanks
-
Hi again
-
compile Radiusplugin in FreeBSD and use it in pfSense (if success)
-
configure my Radius in pfSense, but use it in openvpn configuration for accounting only and along with ldap backend (for auth as already working)
/usr/ports/security/openvpn-auth-radius/
2- I did the following```
cd /usr/ports/security/openvpn-auth-radius/
make
make installand when prompt I selected both _PW_SAVE_ and _PKCS11_ (I really can't remember what the prompt was about :-[) 3- when the error appeared [code]=> pkcs11-helper-1.09.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/. => Attempting to fetch http://www.opensc-project.org/files/pkcs11-helper/pkcs11-helper-1.09.tar.bz2 fetch: http://www.opensc-project.org/files/pkcs11-helper/pkcs11-helper-1.09.tar.bz2: Moved Temporarily => Attempting to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/pkcs11-helper-1.09.tar.bz2 fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/pkcs11-helper-1.09.tar.bz2: File unavailable (e.g., file not found, no access) => Couldn't fetch it - please try to retrieve this => port manually into /usr/ports/distfiles/ and try again. *** Error code 1 I downloaded manually pkcs11-helper-1.09.tar.bz2 using``` cd /usr/ports/distfiles/ wget http://distcache.freebsd.org/ports-distfiles/pkcs11-helper-1.09.tar.bz2
4- did the step 2 again (using "make clean" first) and the compilation ended with```
===> Registering installation for openvpn-auth-radius-2.1Also the desired files "radiusplugin.so" and "radiusplugin.cnf" where located in "/usr/ports/security/openvpn-auth-radius/work/radiusplugin/" 5- I copied from freebsd machine to my pfSense the following files``` /usr/local/lib/libgcrypt.so.18 /usr/local/lib/libgpg-error.so.0 /root/openvpn/radius/radiusplugin.so /root/openvpn/radius/radiusplugin.cnf
(when I put radiusplugin.so and radiusplugin.cnf in /var/etc/openvpn they where deleted on reboot, so since I didn't know where their proper location should be - newbie here - I put them on /root/openvpn/radius )
6- at last the command (on pfsense) "ldd openvpn/radius/radiusplugin.so" outputs```
openvpn/radius/radiusplugin.so:
libgcrypt.so.18 => /usr/local/lib/libgcrypt.so.18 (0x28300000)
libgpg-error.so.0 => /usr/local/lib/libgpg-error.so.0 (0x281f8000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x2837d000)
libthr.so.3 => /lib/libthr.so.3 (0x28470000)
libm.so.5 => /lib/libm.so.5 (0x28485000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2849f000)
libc.so.7 => /lib/libc.so.7 (0x28099000)
libintl.so.9 => /usr/local/lib/libintl.so.9 (0x284aa000)
libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x284b3000)the same as in freebsd …. which made me think the compilation and move to pfsense was correct... 7- I configured my openvpn config by adding``` plugin /root/openvpn/radius/radiusplugin.so /root/openvpn/radius/radiusplugin.cnf;
in the "Advanced configuration" area, by first editing properly the radiusplugin.cnf file..
Doing some tests I found :
-
good news…. the radius server gets accounting info from pfSense's openvpn !!
-
bad news…... the radius server does not get "traffic info" (bits that the user downloads or uploads)
-
bad news…... openvpn instance hangs after a while... !!!
I will double check if there is any missconfiguration in .cnf or elsewhere, do some tests and report again
if there are any mistakes in the above … please let me knowregards
-
-
Here again….
@alexxtasi:- bad news…... the radius server does not get "traffic info" (bits that the user downloads or uploads)
this solved by setting a status file in the openvpn settings. In the "Advanced configuration":
status /var/etc/openvpn/server1.status.log 1; plugin /root/openvpn/radius/radiusplugin.so /root/openvpn/radius/radiusplugin.cnf;
Since pfSense has it's own method to display openvpn's traffic (in "Status > OpenVPN"), status.log must be created so radiusplugin can read traffic info from…
====================================
- bad news…... openvpn instance hangs after a while... !!!
for this issue I found the following:
in openvpn config there is "keepalive 10 60" which in 60minutes "reconnects the user" (correct me in this…)
After this "reconnection" happens (which fails cause of a plugin providing two factor authenitcation), or after the user reconnects himself there is a```
[error] Unable to contact daemon Service not running? 0 0 0Some times the web interface does not respond and even after a machine reboot, the openvpn log says:
Aug 1 13:03:56 pfsense openvpn[45317]: TCP/UDP: Socket bind failed on local address [AF_INET]pfsense_ip:port: Address already in use
Aug 1 13:03:56 pfsense openvpn[45317]: Exiting due to fatal errorany suggestions on this ?? thanks
-
Hi
I found that when running the openvpn instance without the radiusplugin as I used to, the```
root 17354 0.0 0.9 5476 4384 ?? Ss 11:05AM 0:13.15 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
root 15084 0.0 1.0 6520 4860 v0- I 11:05AM 0:00.58 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
root 25148 0.0 0.2 3468 1244 0 S+ 1:47PM 0:00.02 grep openvpn
root 13539 0.0 0.2 2020 900 1 S+ 11:11AM 0:04.36 clog -f /var/log/openvpn.logwhen I enable the radiusplugin in configuration, the server starts and``` ps aux | grep openvpn root 23718 0.0 1.1 8432 5328 ?? I 4:06PM 0:00.00 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf root 23916 0.0 1.1 8432 5324 ?? S 4:06PM 0:00.23 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf root 24904 0.0 1.2 10608 6264 ?? Is 4:06PM 0:00.45 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf root 13539 0.0 0.2 2020 900 1 S+ 11:11AM 0:09.42 clog -f /var/log/openvpn.log
in both cases there is one pid file```
cat /var/run/openvpn_server1.pid
24904(in first case the pid was 17354 or 15084 can't remember…) problems stats when in the second (radiusplugin) case, user reconnects (client reconnects due to keepalive directive - haven't tested administrator droping user's connection from gui or user reconnection)... Three things happen: 1- processes are:
ps aux | grep openvpn
root 4120 0.0 0.2 1812 796 ?? IN 5:08PM 0:00.00 nc -U /var/etc/openvpn/server1.sock
root 23718 0.0 1.1 8432 5328 ?? I 4:06PM 0:00.00 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
root 23916 0.0 1.1 8432 5324 ?? S 4:06PM 0:00.36 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
root 24904 0.0 1.3 10608 6428 ?? Is 4:06PM 0:00.70 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
root 13539 0.0 0.2 2020 900 1 S+ 11:11AM 0:10.12 clog -f /var/log/openvpn.log2- the gui (Status > Openvpn) says
[error] Unable to contact daemon Service not running? 0 0 0
3- /var/log/openvpn.log file shows nothing! (remains in the last log - successful loggin…) Trying to restart the openvpn service it fails with``` Aug 5 17:18:47 openvpn[27542]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Mar 27 2014 Aug 5 17:18:47 openvpn[27542]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Aug 5 17:18:47 openvpn[27542]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate Aug 5 17:18:47 openvpn[27542]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Aug 5 17:18:47 openvpn[27542]: TCP/UDP: Socket bind failed on local address [AF_INET]server_ip:5001: Address already in use Aug 5 17:18:47 openvpn[27542]: Exiting due to fatal error
and in processes there is```
root 4120 0.0 0.2 1812 796 ?? IN 5:08PM 0:00.00 nc -U /var/etc/openvpn/server1.sock
root 23140 0.0 1.1 8432 5424 ?? I 5:18PM 0:00.00 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
root 23718 0.0 1.1 8432 5328 ?? I 4:06PM 0:00.00 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
root 23916 0.0 1.1 8432 5324 ?? S 4:06PM 0:00.45 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
root 24904 0.0 1.3 10608 6428 ?? Is 4:06PM 0:00.70 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
root 27676 0.0 1.1 8432 5476 ?? I 5:18PM 0:00.00 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
root 35518 0.0 0.1 1796 700 0 R+ 5:21PM 0:00.00 grep openvpn
root 18917 0.0 0.3 2020 1276 1 S+ 5:16PM 0:00.26 clog -f /var/log/openvpn.logany explanation on this ? is it a radiusplugin problem of openvpn in general ? thank you
-
@alexxtasi said in Using Radius for accounting only, Ldap for authentication (using Radiusplugin ?):
it a radiusplugin problem of openvpn in general ?
thank you
you forgot to reply to yourself and tell us that you have fixed this crash:)