Using Radius for accounting only, Ldap for authentication (using Radiusplugin ?)



  • Hi
    I am new to pfSense and also in OpenVPN.

    My current working setup is:

    I am moving this setup in pfSense to benefit it's capabilities.
    equally I am using:

    • OpenVPN through the wizard

    • my ldap server in "Backend for authentication" field, having already configured it as Authentication Server in "System > User manager"

    my next step is to use something like Radiusplugin, so I can report accounting information to the Radius server (accounting only and not authentication).
    Since pfSense is not linux I have the options to :

    • compile Radiusplugin in FreeBSD and use it in pfSense (if success)

    • configure my Radius in pfSense, but use it in openvpn configuration for accounting only and along with ldap backend (for auth as already working)



  • Well… I just found this feature request:

    since it's last update was a year ago… does this mean that what I am asking is not implemented yet ?
    any news in this directions ?

    thanks



  • Hi again

    @alexxtasi:

    • compile Radiusplugin in FreeBSD and use it in pfSense (if success)

    • configure my Radius in pfSense, but use it in openvpn configuration for accounting only and along with ldap backend (for auth as already working)

    /usr/ports/security/openvpn-auth-radius/
    

    2- I did the following```
    cd /usr/ports/security/openvpn-auth-radius/
    make
    make install

    and when prompt I selected both _PW_SAVE_ and _PKCS11_ (I really can't remember what the prompt was about  :-[)
    
    3- when the error appeared  [code]=> pkcs11-helper-1.09.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/.
    => Attempting to fetch http://www.opensc-project.org/files/pkcs11-helper/pkcs11-helper-1.09.tar.bz2
    fetch: http://www.opensc-project.org/files/pkcs11-helper/pkcs11-helper-1.09.tar.bz2: Moved Temporarily
    => Attempting to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/pkcs11-helper-1.09.tar.bz2
    fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/pkcs11-helper-1.09.tar.bz2: File unavailable (e.g., file not found, no access)
    => Couldn't fetch it - please try to retrieve this
    => port manually into /usr/ports/distfiles/ and try again.
    *** Error code 1
    I downloaded manually pkcs11-helper-1.09.tar.bz2 using```
    cd /usr/ports/distfiles/
    wget http://distcache.freebsd.org/ports-distfiles/pkcs11-helper-1.09.tar.bz2
    

    4- did the step 2 again (using "make clean" first) and the compilation ended with```
    ===>  Registering installation for openvpn-auth-radius-2.1

    Also the desired files "radiusplugin.so" and "radiusplugin.cnf" where located in "/usr/ports/security/openvpn-auth-radius/work/radiusplugin/"
    
    5- I copied from freebsd machine to my pfSense the following files```
    /usr/local/lib/libgcrypt.so.18
    /usr/local/lib/libgpg-error.so.0
    /root/openvpn/radius/radiusplugin.so
    /root/openvpn/radius/radiusplugin.cnf
    
    

    (when I put radiusplugin.so and radiusplugin.cnf in /var/etc/openvpn they where deleted on reboot, so since I didn't know where their proper location should be - newbie here - I put them on /root/openvpn/radius )

    6- at last the command (on pfsense) "ldd openvpn/radius/radiusplugin.so" outputs```
    openvpn/radius/radiusplugin.so:
    libgcrypt.so.18 => /usr/local/lib/libgcrypt.so.18 (0x28300000)
    libgpg-error.so.0 => /usr/local/lib/libgpg-error.so.0 (0x281f8000)
    libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x2837d000)
    libthr.so.3 => /lib/libthr.so.3 (0x28470000)
    libm.so.5 => /lib/libm.so.5 (0x28485000)
    libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2849f000)
    libc.so.7 => /lib/libc.so.7 (0x28099000)
    libintl.so.9 => /usr/local/lib/libintl.so.9 (0x284aa000)
    libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x284b3000)

    the same as in freebsd …. which made me think the compilation and move to pfsense was correct...
    
    7- I configured my openvpn config by adding```
    plugin /root/openvpn/radius/radiusplugin.so /root/openvpn/radius/radiusplugin.cnf;
    

    in the "Advanced configuration" area, by first editing properly the radiusplugin.cnf file..

    Doing some tests I found :

    • good news…. the radius server gets accounting info from pfSense's openvpn !!

    • bad news…... the radius server does not get "traffic info" (bits that the user downloads or uploads)

    • bad news…... openvpn instance hangs after a while... !!!

    I will double check if there is any missconfiguration in .cnf or elsewhere, do some tests and report again
    if there are any mistakes in the above … please let me know

    regards



  • Here again….
    @alexxtasi:

    • bad news…... the radius server does not get "traffic info" (bits that the user downloads or uploads)

    this solved by setting a status file in the openvpn settings. In the "Advanced configuration":

    status /var/etc/openvpn/server1.status.log 1;
    plugin /root/openvpn/radius/radiusplugin.so /root/openvpn/radius/radiusplugin.cnf;
    

    Since pfSense has it's own method to display openvpn's traffic (in "Status > OpenVPN"), status.log must be created so radiusplugin can read traffic info from…

    ====================================

    @alexxtasi:

    • bad news…... openvpn instance hangs after a while... !!!

    for this issue I found the following:

    in openvpn config there is "keepalive 10 60" which in 60minutes "reconnects the user" (correct me in this…)
    After this "reconnection" happens (which fails cause of a plugin providing two factor authenitcation), or after the user reconnects himself there is a```
    [error] Unable to contact daemon Service not running? 0 0 0

    Some times the web interface does not respond and even after a machine reboot, the openvpn log says:
    

    Aug  1 13:03:56 pfsense openvpn[45317]: TCP/UDP: Socket bind failed on local address [AF_INET]pfsense_ip:port: Address already in use
    Aug  1 13:03:56 pfsense openvpn[45317]: Exiting due to fatal error

    
    any suggestions on this ??
    
    thanks


  • Hi
    I found that when running the openvpn instance without the radiusplugin as I used to, the```
    root  17354  0.0  0.9  5476  4384  ??  Ss  11:05AM  0:13.15 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root  15084  0.0  1.0  6520  4860  v0- I    11:05AM  0:00.58 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root  25148  0.0  0.2  3468  1244  0  S+    1:47PM  0:00.02 grep openvpn
    root  13539  0.0  0.2  2020  900  1  S+  11:11AM  0:04.36 clog -f /var/log/openvpn.log

    
    when I enable the radiusplugin in configuration, the server starts and```
    ps aux | grep openvpn
    root   23718  0.0  1.1  8432  5328  ??  I     4:06PM   0:00.00 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root   23916  0.0  1.1  8432  5324  ??  S     4:06PM   0:00.23 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root   24904  0.0  1.2 10608  6264  ??  Is    4:06PM   0:00.45 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root   13539  0.0  0.2  2020   900   1  S+   11:11AM   0:09.42 clog -f /var/log/openvpn.log
    

    in both cases there is one pid file```
    cat /var/run/openvpn_server1.pid
    24904

    (in first case the pid was 17354 or 15084 can't remember…)
    
    problems stats when in the second (radiusplugin) case, user reconnects (client reconnects due to keepalive directive - haven't tested administrator droping user's connection from gui or user reconnection)...
    Three things happen:
    
    1- processes are:
    

    ps aux | grep openvpn
    root    4120  0.0  0.2  1812  796  ??  IN    5:08PM  0:00.00 nc -U /var/etc/openvpn/server1.sock
    root  23718  0.0  1.1  8432  5328  ??  I    4:06PM  0:00.00 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root  23916  0.0  1.1  8432  5324  ??  S    4:06PM  0:00.36 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root  24904  0.0  1.3 10608  6428  ??  Is    4:06PM  0:00.70 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root  13539  0.0  0.2  2020  900  1  S+  11:11AM  0:10.12 clog -f /var/log/openvpn.log

    
    2- the gui (Status > Openvpn) says
    

    [error] Unable to contact daemon Service not running? 0 0 0

    
    3- /var/log/openvpn.log file shows nothing! (remains in the last log - successful loggin…)
    
    Trying to restart the openvpn service it fails with```
    Aug 5 17:18:47 	openvpn[27542]: OpenVPN 2.3.2 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Mar 27 2014
    Aug 5 17:18:47 	openvpn[27542]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 5 17:18:47 	openvpn[27542]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
    Aug 5 17:18:47 	openvpn[27542]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Aug 5 17:18:47 	openvpn[27542]: TCP/UDP: Socket bind failed on local address [AF_INET]server_ip:5001: Address already in use
    Aug 5 17:18:47 	openvpn[27542]: Exiting due to fatal error
    

    and in processes there is```
    root    4120  0.0  0.2  1812  796  ??  IN    5:08PM  0:00.00 nc -U /var/etc/openvpn/server1.sock
    root  23140  0.0  1.1  8432  5424  ??  I    5:18PM  0:00.00 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root  23718  0.0  1.1  8432  5328  ??  I    4:06PM  0:00.00 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root  23916  0.0  1.1  8432  5324  ??  S    4:06PM  0:00.45 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root  24904  0.0  1.3 10608  6428  ??  Is    4:06PM  0:00.70 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root  27676  0.0  1.1  8432  5476  ??  I    5:18PM  0:00.00 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
    root  35518  0.0  0.1  1796  700  0  R+    5:21PM  0:00.00 grep openvpn
    root  18917  0.0  0.3  2020  1276  1  S+    5:16PM  0:00.26 clog -f /var/log/openvpn.log

    
    any explanation on this ?
    is it a radiusplugin problem of openvpn in general ?
    
    thank you


  • @alexxtasi said in Using Radius for accounting only, Ldap for authentication (using Radiusplugin ?):

    it a radiusplugin problem of openvpn in general ?

    thank you

    @alexxtasi,

    you forgot to reply to yourself and tell us that you have fixed this crash:)