OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Radius (MS-CHAP v2) auth exception?

https://forums.openvpn.net/viewtopic.php?t=26527

Page 1 of 1

Radius (MS-CHAP v2) auth exception?

Posted: Thu Jun 07, 2018 6:25 am
by looka
Hi all,

On authentication we are getting:

Code: Select all

exception in AuthDelegateProplist: credential username must not be empty: internet/defer:102,auth/authdelegate:61,auth/authdelegate:240,util/delegate:26,auth/authrad:316,auth/authbase:53,auth/authbase:36,internet/base:1175,internet/base:779,omi/omibase:65,internet/defer:102,omi/omimulti:15,omi/omiauth:62,internet/defer:829,internet/defer:746,omi/auth:516,util/delegate:26,auth/authdelegate:308,util/delegate:26,auth/authdelegate:237,util/defer:224,util/defer:246,internet/defer:190,internet/defer:181,internet/defer:323,util/defer:246,internet/defer:190,internet/defer:181,internet/defer:323,util/defer:245,internet/defer:102,auth/authdelegate:61,auth/authdelegate:240,util/delegate:26,auth/authrad:316,auth/authbase:53,auth/authbase:36,util/error:61,util/error:44
VPN Auth Failed: u'exception in AuthDelegateProplist: credential username must not be empty
Even though valid certificate is delivered with filled cn username:

Code: Select all

VERIFY OK: nsCertType=CLIENT'
VERIFY OK: depth=0, /CN=looka'
peer info: IV_GUI_VER=net.openvpn.connect.ios_1.2.9-0'
mobileconfig on ios relevant snippet:

Code: Select all

                <key>VPN</key>
                <dict>
                        <key>AuthName</key>
                        <string>looka</string>
                        <key>AuthenticationMethod</key>
                        <string>Certificate</string>
                        <key>PayloadCertificateUUID</key>
                        <string>e842d5e9-bd51-4e96-adab-9dd63261d81b</string>
                        <key>RemoteAddress</key>
                        <string>DEFAULT</string>
                </dict>
                <key>VPNSubType</key>
                <string>net.openvpn.connect.app</string>
                <key>VPNType</key>
                <string>VPN</string>
                <key>VendorConfig</key>
                <dict>
                        <key>ca</key>
                        <string>-----BEGIN CERTIFICATE-----\n ... \n-----END CERTIFICATE-----</string>
                        <key>comp-lzo</key>
                        <string>adaptive</string>
                        <key>remote</key>
                        <string>openvpnas.domain.com 4433 tcp</string>
                        <key>vpn-on-demand</key>
                        <string>0</string>
                </dict>
What could be the problem?

We have tried setting external_pki.cn_username_requirement false.
We have tried forcing auth-user-pass-optional on both client and server.
We have tried disabling autologin.

Re: Radius (MS-CHAP v2) auth exception?

Posted: Thu Jun 07, 2018 6:56 pm
by novaflash
Is this by any chance on iOS 12?

Re: Radius (MS-CHAP v2) auth exception?

Posted: Fri Jun 08, 2018 4:22 am
by looka
No, 11.4 at the moment.
I'm pretty sure that request for connection and user certificate is properly delivered.
It just seems that radius auth plugin (auth/authrad?) is unable to extract username from cert subject common name (cn=looka) and breaks saying username can't be empty.

Re: Radius (MS-CHAP v2) auth exception?

Posted: Fri Jun 08, 2018 8:19 am
by novaflash
Well, with the OpenVPN Access Server product, autologin is based on the CN of the certificate, but is not handled by RADIUS. Meaning, to obtain an autologin profile you use the web interface of the Access Server and you authenticate using RADIUS. Then you obtain an autologin profile that completely bypasses RADIUS authentication for VPN tunnel connections. Even if you now remove the RADIUS server, that autologin profile will still be able to connect.

But I suspect this is not what you are doing here now.

Re: Radius (MS-CHAP v2) auth exception?

Posted: Fri Jun 08, 2018 11:38 am
by looka
If I understood you correctly, you are proposing to generate autologin profile (separate p12?) based on initial cert RADIUS authentication via web and then use that? But user would then need to manually 1) access openvpn via web and login with it's cert and 2) install newly generated ovpn/mobileconfig before his VPN would work?
We already have external PKI, and this would basically mean maintaining parallel PKI which seems against the whole point of having PKI. :)
E.g. how would those access permissions get revoked exactly?

We would like OpenVPN to authenticate those certificates via Radius on VPN connect every time, not only on web interface access.
It's shame it doesn't seem to be able to do that on those cases, since it clearly already is able to do that.
Also, end users would not be required any additional steps whatsoever.

Re: Radius (MS-CHAP v2) auth exception?

Posted: Sun Jun 10, 2018 6:07 pm
by looka
Ok, i guess I don't need Radius at all, authentication is done by CA cert alone.
But you do need to specify proper:

Code: Select all

./confdba -mk external_pki.autologin_x509_spec -v "<X509 Attribute>,<optional flags>,<enabling substring in attribute value>"
to avoid username empty exception. :D

Re: Radius (MS-CHAP v2) auth exception?

Posted: Sun Jun 10, 2018 6:24 pm
by novaflash
I'm guessing you saw that in this page?
https://docs.openvpn.net/configuration/ ... cture-pki/
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/