OpenVPN reauthenticating and two-factor


  • LAYER 8 Netgate

    I just added Duo two-factor authentication to my RADIUS server I'm using for OpenVPN.  I am periodically being prompted to  reauthenticate.  I thought this would fix it:

    push "reneg-sec 0";
    reneg-sec 43200;

    But I just got prompted to reauthenticate but the "openvpn[5105]: TLS: tls_process: killed expiring key" message wasn't logged.

    Still gathering data but I thought I'd get the thread started in case anyone has any clues.  I'd like to take it to 12 hours or so between reauthentications.


  • LAYER 8 Netgate

    I'm thinking that reneg-sec might not be pushable.  Testing again with reneg-sec 0 in Viscosity and reneg-sec 43200 in the server.



  • I am attempting to get phone factor two factor auth working, and since you have Duo working I thought maybe you might have fixed the issue I think I'm having -
    basic setup is username/password only connection on the server, with a RADIUS server configured and verified working.  THe RADIUS server has the phone factor pluggin that calls the end user.  As soon as the end user hits a key to authenticate, the OpenVPN client syas that auth failed and asks for username and password again.

    I'm thinking it may be a timeout issue - I know I've run into timeout issues with Duo before.  Did you have to make any changes to the client to force it to wait for the Duo auth to finish, and if so what?  Thanks!


  • LAYER 8 Netgate

    No.  I just set the radius timeout to 60 seconds and set the reneg-sec in the clients.  Been working great ever since.  I put up a small ubuntu VM with the duo proxy on it and it proxies to RADIUS on my OS X server where all my account info actually lives.

    Note that you can test all this in Diagnostics > Authentication.

    It sounds like, for some reason, your RADIUS server is replying with Access-Reject.  You might consider installing freeradius somewhere so you can get the radtest CLI utility.  Add that test system as a RADIUS client and use it so you can see exactly what's happening.

    My guess is your problem lies in your directory.  User probably needs to be put in the right group or OU or something.  Try Dialup Users I think.  Check the logs on the RADIUS server.



  • Thanks for all the advise.  Sadly, I don't have access to the customer's RADIUS server directly, although they have forwarded me a log of a "failed" connection.

    We did a packet capture, and this is what we see returning from the radius server in the data portion of the packet:

    Authentication in progress. Please perform the additional authentication steps. Once complete, enter your password again and then click the "OK" button..
    

    That is in a packet that Wireshark is telling me is a RADIUS Access-Challenge packet. I see this happen twice before the authentication fails.

    Here is what was in the logs when the user tried to VPN in through pfsense that WASN'T in the logs when they used AnyConnect:

    2015-03-13T20:49:15.582762Z|w|2884|2940|pfrad|Couldn't find pending token auth for state attr 53615161309F54474167062E744322D8C4AF5234.  passing to normal auth.
    2015-03-13T20:49:23.583172Z|w|2884|2940|pfrad|Timeout expired waiting for response from radius servers for client 172.16.2.2, id 42
    2015-03-13T20:50:15.710840Z|0|2884|2940|prfad|Event 3.
    2015-03-13T20:50:15.710840Z|0|2884|2940|prfad|Sock 0x00000000000000E8
    2015-03-13T20:50:15.710840Z|0|2884|2940|pfrad|Code 1 - ACCESS_REQUEST.
    

    I ahven't been able to draw anything from either of those two results yet.



  • Ah ha.  The additional data I see being returned to me is because the Azure Multi-Factor Authentication server is NOT backended by Active Directory directly, but through a Network Policy Server running RADIUS - and returning client options that the OpenVPN client doesn't accept, apparently.  I started another thread on how to setup 2 factor using Azure MFA and OpenVPN using the results I've found troubleshooting this week.  Thanks for you response!


Log in to reply