OpenVPN + pam_auth_radius + Windows 2008 Radius Server
I'm running the following, Centos 5.7 openVPN 2.2.1 pam_radius 1.3.17 I've installed the /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so into this directory /usr/share/openvpn/plugin/lib. Here are the contents of my pam_radius_auth file auth sufficient /lib/security/pam_radius_auth.so debug account sufficient /lib/security/pam_radius_auth.so I installed the pam_radius_auth.so module into /lib/security. Next I used the same configuration file for openvpn server, but added these lines to the bottom and changed it from "dev tun" to "dev tap" plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn client-cert-not-required username-as-common-name for the openvpn client, I added the line "auth-user-pass" Next, I set up the radius server to accept the ip address of the openvpn server. Finally, I tried connecting with the client and I keep getting this error message. Here's the output of the openvpn logs that I get: AUTH-PAM: BACKGROUND: user 'myuser' failed to authenticate: Permission denied Tue Nov 22 14:26:21 2011 {MYRADIUS_IP}:61645 PLUGIN_CALL: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 Tue Nov 22 14:26:21 2011 {MYRADIUS_IP}:61645 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so Tue Nov 22 14:26:21 2011 {MYRADIUS_IP}:61645 TLS Auth Error: Auth Username/Password verification failed for peer Tue Nov 22 14:26:21 2011 {MYRADIUS_IP}:61645 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA Tue Nov 22 14:26:21 2011 {MYRADIUS_IP}:61645 [] Peer Connection Initiated with {MYRADIUS_IP}:61645 Tue Nov 22 14:26:22 2011 {MYRADIUS_IP}:61645 PUSH: Received control message: 'PUSH_REQUEST' Tue Nov 22 14:26:22 2011 {MYRADIUS_IP}:61645 Delayed exit in 5 seconds Tue Nov 22 14:26:22 2011 {MYRADIUS_IP}:61645 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) Tue Nov 22 14:26:24 2011 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Tue Nov 22 14:26:27 2011 {MYRADIUS_IP}:61645 SIGTERM[soft,delayed-exit] received, client-instance exiting On the windows radius client, I only get this in the tracing logs: [5624] 11-22 14:26:21:280: IAS extension host returned responseType=2, reasonCode=21 [5624] 11-22 14:26:21:280: No AUTHORIZATION extensions, continuing Any ideas on what I'm missing? (and yes, I have googled it!)
On Wed, Nov 23, 2011 at 4:38 AM, Nate <openvpn@aivector.com> wrote:
I'm running the following, Centos 5.7 openVPN 2.2.1 pam_radius 1.3.17
I've installed the /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so into
What are you trying to achive? If you simply want to authenticate openvpn users using radius, no need to involve pam at all. See http://www.nongnu.org/radiusplugin/ In any case, openvpn-related integration issues is better suited on openvpn list/forum. This list is more suitable for problems related to freeradius (hint: if you haven't had the need to run FR in debug mode then most likely it's not FR problem). -- Fajar
"In any case, openvpn-related integration issues is better suited on
openvpn list/forum. This list is more suitable for problems related to freeradius (hint: if you haven't had the need to run FR in debug mode then most likely it's not FR problem)."
Funny thing, they just sent me here lol "If you simply want to authenticate openvpn users using radius, no need
to involve pam at all. See http://www.nongnu.org/radiusplugin/"
Thanks, I've tried the radiusplugin. Maybe I'll install it again. I didn't have much luck with that either. I appreciate the help though. My guess is at this point we have a radius server problem, but our cisco devices don't have any problems connecting to it, which is why I came to this forum. On Nov 22, 2011, at 8:43 PM, Fajar A. Nugraha wrote:
On Wed, Nov 23, 2011 at 4:38 AM, Nate <openvpn@aivector.com> wrote:
I'm running the following, Centos 5.7 openVPN 2.2.1 pam_radius 1.3.17
I've installed the /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so into
What are you trying to achive?
If you simply want to authenticate openvpn users using radius, no need to involve pam at all. See http://www.nongnu.org/radiusplugin/
In any case, openvpn-related integration issues is better suited on openvpn list/forum. This list is more suitable for problems related to freeradius (hint: if you haven't had the need to run FR in debug mode then most likely it's not FR problem).
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, Nov 23, 2011 at 12:40 PM, Nate <openvpn@aivector.com> wrote:
"In any case, openvpn-related integration issues is better suited on
openvpn list/forum. This list is more suitable for problems related to freeradius (hint: if you haven't had the need to run FR in debug mode then most likely it's not FR problem)."
Funny thing, they just sent me here lol
Well, at this point looking from Tue Nov 22 14:26:21 2011 {MYRADIUS_IP}:61645 TLS Auth Error: Auth Username/Password verification failed for peer the best guess I can give you is incorrrect user/pass. Why? Well, to answer that we need to look at FR debug log. Which you didn't send. Without that, your guess is as good as mine.
"If you simply want to authenticate openvpn users using radius, no need
to involve pam at all. See http://www.nongnu.org/radiusplugin/"
Thanks, I've tried the radiusplugin. Maybe I'll install it again. I didn't have much luck with that either.
It works. I know, I tried it :)
I appreciate the help though. My guess is at this point we have a radius server problem, but our cisco devices don't have any problems connecting to it, which is why I came to this forum.
My guess is it's related to PAM. IIRC if the user doesn't exists in the system (i.e. /etc/passwd), pam will send garbage password to radius. Which is why I suggest using radiusplugin directly. And again, if you have FR-related problems, run it in debug mode and post the log here. -- Fajar
Thanks for the help. I think I just figured it out. My configuration is ok, and the radius server is ok. The problem is the component the radius server was communicating with. Thanks for the help as it did help me get to the correct solution. Thanks! On 11/22/2011 10:53 PM, Fajar A. Nugraha wrote:
On Wed, Nov 23, 2011 at 12:40 PM, Nate<openvpn@aivector.com> wrote:
"In any case, openvpn-related integration issues is better suited on
openvpn list/forum. This list is more suitable for problems related to freeradius (hint: if you haven't had the need to run FR in debug mode then most likely it's not FR problem)." Funny thing, they just sent me here lol Well, at this point looking from
Tue Nov 22 14:26:21 2011 {MYRADIUS_IP}:61645 TLS Auth Error: Auth Username/Password verification failed for peer
the best guess I can give you is incorrrect user/pass. Why? Well, to answer that we need to look at FR debug log. Which you didn't send. Without that, your guess is as good as mine.
"If you simply want to authenticate openvpn users using radius, no need
to involve pam at all. See http://www.nongnu.org/radiusplugin/" Thanks, I've tried the radiusplugin. Maybe I'll install it again. I didn't have much luck with that either. It works. I know, I tried it :)
I appreciate the help though. My guess is at this point we have a radius server problem, but our cisco devices don't have any problems connecting to it, which is why I came to this forum. My guess is it's related to PAM. IIRC if the user doesn't exists in the system (i.e. /etc/passwd), pam will send garbage password to radius. Which is why I suggest using radiusplugin directly.
And again, if you have FR-related problems, run it in debug mode and post the log here.
participants (2)
-
Fajar A. Nugraha -
Nate