Radius (MS-CHAP v2) auth exception?

Post Reply
looka
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 07, 2018 5:41 am

Radius (MS-CHAP v2) auth exception?

Post by looka » Thu Jun 07, 2018 6:25 am

Hi all,

On authentication we are getting:

Code: Select all

exception in AuthDelegateProplist: credential username must not be empty: internet/defer:102,auth/authdelegate:61,auth/authdelegate:240,util/delegate:26,auth/authrad:316,auth/authbase:53,auth/authbase:36,internet/base:1175,internet/base:779,omi/omibase:65,internet/defer:102,omi/omimulti:15,omi/omiauth:62,internet/defer:829,internet/defer:746,omi/auth:516,util/delegate:26,auth/authdelegate:308,util/delegate:26,auth/authdelegate:237,util/defer:224,util/defer:246,internet/defer:190,internet/defer:181,internet/defer:323,util/defer:246,internet/defer:190,internet/defer:181,internet/defer:323,util/defer:245,internet/defer:102,auth/authdelegate:61,auth/authdelegate:240,util/delegate:26,auth/authrad:316,auth/authbase:53,auth/authbase:36,util/error:61,util/error:44
VPN Auth Failed: u'exception in AuthDelegateProplist: credential username must not be empty 
Even though valid certificate is delivered with filled cn username:

Code: Select all

VERIFY OK: nsCertType=CLIENT'
VERIFY OK: depth=0, /CN=looka'
peer info: IV_GUI_VER=net.openvpn.connect.ios_1.2.9-0'
mobileconfig on ios relevant snippet:

Code: Select all

                <key>VPN</key>
                <dict>
                        <key>AuthName</key>
                        <string>looka</string>
                        <key>AuthenticationMethod</key>
                        <string>Certificate</string>
                        <key>PayloadCertificateUUID</key>
                        <string>e842d5e9-bd51-4e96-adab-9dd63261d81b</string>
                        <key>RemoteAddress</key>
                        <string>DEFAULT</string>
                </dict>
                <key>VPNSubType</key>
                <string>net.openvpn.connect.app</string>
                <key>VPNType</key>
                <string>VPN</string>
                <key>VendorConfig</key>
                <dict>
                        <key>ca</key>
                        <string>-----BEGIN CERTIFICATE-----\n ... \n-----END CERTIFICATE-----</string>
                        <key>comp-lzo</key>
                        <string>adaptive</string>
                        <key>remote</key>
                        <string>openvpnas.domain.com 4433 tcp</string>
                        <key>vpn-on-demand</key>
                        <string>0</string>
                </dict>
What could be the problem?

We have tried setting external_pki.cn_username_requirement false.
We have tried forcing auth-user-pass-optional on both client and server.
We have tried disabling autologin.

novaflash
I should be on the dev team.
Posts: 679
Joined: Fri Apr 13, 2012 8:43 pm

Re: Radius (MS-CHAP v2) auth exception?

Post by novaflash » Thu Jun 07, 2018 6:56 pm

Is this by any chance on iOS 12?

looka
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 07, 2018 5:41 am

Re: Radius (MS-CHAP v2) auth exception?

Post by looka » Fri Jun 08, 2018 4:22 am

No, 11.4 at the moment.
I'm pretty sure that request for connection and user certificate is properly delivered.
It just seems that radius auth plugin (auth/authrad?) is unable to extract username from cert subject common name (cn=looka) and breaks saying username can't be empty.

novaflash
I should be on the dev team.
Posts: 679
Joined: Fri Apr 13, 2012 8:43 pm

Re: Radius (MS-CHAP v2) auth exception?

Post by novaflash » Fri Jun 08, 2018 8:19 am

Well, with the OpenVPN Access Server product, autologin is based on the CN of the certificate, but is not handled by RADIUS. Meaning, to obtain an autologin profile you use the web interface of the Access Server and you authenticate using RADIUS. Then you obtain an autologin profile that completely bypasses RADIUS authentication for VPN tunnel connections. Even if you now remove the RADIUS server, that autologin profile will still be able to connect.

But I suspect this is not what you are doing here now.

looka
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 07, 2018 5:41 am

Re: Radius (MS-CHAP v2) auth exception?

Post by looka » Fri Jun 08, 2018 11:38 am

If I understood you correctly, you are proposing to generate autologin profile (separate p12?) based on initial cert RADIUS authentication via web and then use that? But user would then need to manually 1) access openvpn via web and login with it's cert and 2) install newly generated ovpn/mobileconfig before his VPN would work?
We already have external PKI, and this would basically mean maintaining parallel PKI which seems against the whole point of having PKI. :)
E.g. how would those access permissions get revoked exactly?

We would like OpenVPN to authenticate those certificates via Radius on VPN connect every time, not only on web interface access.
It's shame it doesn't seem to be able to do that on those cases, since it clearly already is able to do that.
Also, end users would not be required any additional steps whatsoever.

looka
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 07, 2018 5:41 am

Re: Radius (MS-CHAP v2) auth exception?

Post by looka » Sun Jun 10, 2018 6:07 pm

Ok, i guess I don't need Radius at all, authentication is done by CA cert alone.
But you do need to specify proper:

Code: Select all

./confdba -mk external_pki.autologin_x509_spec -v "<X509 Attribute>,<optional flags>,<enabling substring in attribute value>"
to avoid username empty exception. :D

novaflash
I should be on the dev team.
Posts: 679
Joined: Fri Apr 13, 2012 8:43 pm

Re: Radius (MS-CHAP v2) auth exception?

Post by novaflash » Sun Jun 10, 2018 6:24 pm

I'm guessing you saw that in this page?
https://docs.openvpn.net/configuration/ ... cture-pki/

Post Reply