(SOLVED)PAP Radius authentication fails

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
JimDandy
OpenVpn Newbie
Posts: 3
Joined: Mon Oct 23, 2017 3:16 pm

(SOLVED)PAP Radius authentication fails

Post by JimDandy » Mon Oct 23, 2017 3:28 pm

Hi guys.

I'm pretty new to this, so please be patient with me.

I have set up a working Openvpn Access server. Does AD as expected. However, I was told to implement Multifactor Authentication, specifically token time-based OTP.

Using RCDevs prebuilt, I was able to get the OpenOTP server configured up and running, Radius installed. configured and tested with radtest. AD password sent, received the OTP challenge and token on mobile. Authenticated successfully.

On the AS, I changed the autentication to RADIUS using PAP. Entered in the Shared Key. All appears to have gone successfully. I proceed to load the https://IPofAS and log in as an existing user in AD which I successfully tested on the RADIUS server. Authentication fails(this is from the RADIUS server running in debug mode):

(1) Received Access-Request Id 253 from 10.1.20.99:48424 to 10.1.20.89:1812 length 72
(1) NAS-Identifier = "OpenVPN.hackvpn01"
(1) User-Name = "testotp"
(1) User-Password = "\007ݯD\026\301o[(\026\271n\371\363\260\270"
(1) Service-Type = Authenticate-Only
(1) # Executing section authorize from file /opt/radiusd/conf/radiusd.conf
(1) authorize {
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password is available
(1) [pap] = noop
rlm_openotp: Invalid "User-Password" attribute (bad format or wrong RADIUS secret)
(1) [openotp] = invalid
(1) } # authorize = invalid
(1) Invalid user: [testotp] (from client any port 0)
(1) Using Post-Auth-Type Reject
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Login incorrect: [testotp] (from client any port 0)
(1) Sent Access-Reject Id 253 from 10.1.20.89:1812 to 10.1.20.99:48424 length 0
(1) Finished request

All the end user sees in the OpenVPNs site is a spinning wheel and eventually a failure.

Question, is the password sent from the AS server somehow being hashed? I thought PAP was supposed to be clear text?

Humble thanks. I'll be monitoring to provide additional info. I need some help. ;)

Edit:

Silly error. I neglected to uncomment and edit the following information. /opt/radiusd/conf/clients.conf on the OpenOTP/MFA/Radius server:

shortname = HostNameofOpenVPNserver

FIXED!!!!!!
Top
Post Reply

Return to “The OpenVPN Access Server”