OpenVPN + pam_auth_radius + Windows 2008 Radius Server

Nate openvpn at aivector.com
Tue Nov 22 22:38:54 CET 2011 

I'm running the following,
Centos 5.7
openVPN 2.2.1
pam_radius 1.3.17

I've installed the /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 
into this directory /usr/share/openvpn/plugin/lib.

Here are the contents of my pam_radius_auth file
auth       sufficient   /lib/security/pam_radius_auth.so debug
account    sufficient    /lib/security/pam_radius_auth.so

I installed the pam_radius_auth.so module into /lib/security.

Next I  used the same configuration file for openvpn server, but added 
these lines to the bottom and changed it from "dev tun" to "dev tap"

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name

for the openvpn client, I added the line "auth-user-pass"

Next, I set up the radius server to accept the ip address of the openvpn 
server.  Finally, I tried connecting with the client and I keep getting 
this error message.

Here's the output of the openvpn logs that I get:
AUTH-PAM: BACKGROUND: user 'myuser' failed to authenticate: Permission 
denied
Tue Nov 22 14:26:21 2011 {MYRADIUS_IP}:61645 PLUGIN_CALL: POST 
/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY 
status=1
Tue Nov 22 14:26:21 2011 {MYRADIUS_IP}:61645 PLUGIN_CALL: plugin 
function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: 
/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
Tue Nov 22 14:26:21 2011 {MYRADIUS_IP}:61645 TLS Auth Error: Auth 
Username/Password verification failed for peer
Tue Nov 22 14:26:21 2011 {MYRADIUS_IP}:61645 Control Channel: TLSv1, 
cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Tue Nov 22 14:26:21 2011 {MYRADIUS_IP}:61645 [] Peer Connection 
Initiated with {MYRADIUS_IP}:61645
Tue Nov 22 14:26:22 2011 {MYRADIUS_IP}:61645 PUSH: Received control 
message: 'PUSH_REQUEST'
Tue Nov 22 14:26:22 2011 {MYRADIUS_IP}:61645 Delayed exit in 5 seconds
Tue Nov 22 14:26:22 2011 {MYRADIUS_IP}:61645 SENT CONTROL [UNDEF]: 
'AUTH_FAILED' (status=1)
Tue Nov 22 14:26:24 2011 read UDPv4 [ECONNREFUSED]: Connection refused 
(code=111)
Tue Nov 22 14:26:27 2011 {MYRADIUS_IP}:61645 SIGTERM[soft,delayed-exit] 
received, client-instance exiting

On the windows radius client, I only get this in the tracing logs:
[5624] 11-22 14:26:21:280: IAS extension host returned responseType=2, 
reasonCode=21
[5624] 11-22 14:26:21:280: No AUTHORIZATION extensions, continuing

Any ideas on what I'm missing?  (and yes, I have googled it!)

More information about the Freeradius-Users mailing list