We are configuring a OpenVPN with OpenOTP feature . We are in a blocker where after passing Username / Password+OTP is failing.
Please find theFollowing is the error that Radius server is reporting , Thu Mar 30 10:56:27 2017 : Auth: Invalid user: [UserName/\261\262U\211X/\006g\220\3611S{Zn\342\230\307\350͑Z\220&\t{\373{Ђo\324\001\345\312\016=Q|iP#\236\206\3409] (from client 0.0.0.0/0 port 1 cli Client Public IP)
Code: Select all
Server.conf
port 1194
proto udp
dev tun1
fragment 1400
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 5.5.32.0 255.255.255.0
comp-lzo no
user nobody
group users
persist-key
persist-tun
status /var/log/openvpn-status.log
duplicate-cn
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
tmp-dir "/etc/openvpn/tmp/"
log /var/log/openvpn.log
mode server
tls-server
verb 7
cipher AES-256-CBC
#auth MD5
#link-mtu 1500
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.8.4"
#client-to-client
duplicate-cn
local 10.0.0.127
ifconfig-pool-persist ipp.txt
push "persist-key"
push "persist-tun"
ifconfig 5.5.32.1 5.5.32.2
keysize 256
dev-type tun
#auth-user-pass-verify
#plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
#
tun-mtu 1500
Code: Select all
Client Conf
auth SHA1
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
client
comp-lzo no
fragment 1400
dev tun0
keysize 256
persist-key
persist-tun
ping 15
ping-exit 15
ping-restart 0
proto udp
remote VPNSERVER 1194 udp
tls-client
verb 3
resolv-retry infinite
key client.key
ns-cert-type server
#script-security 2
#up /etc/openvpn/update-resolv-conf.sh
#down /etc/openvpn/update-resolv-conf.sh
redirect-gateway def1 bypass-dhcp
pull
nobind
dev-type tun
#link-mtu 1558
mssfix
setenv FORWARD_COMPATIBLE 1
ifconfig 5.5.32.2 5.5.32.1
#tun-mtu-extra 32
tun-mtu 1500
rad_recv: Access-Request packet from host 10.0.0.127 port 37454, id=119, length=167
User-Name = "UserNAME"
User-Password = "\270E\237\366Xm\302s\022\254\242\264\216\236+\301\003\036\177\024\241\233\357\230`g/\2036\036}1֭\007ս\317b)\306y\357\355ش"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Service-Type = Outbound-User
Calling-Station-Id = "Public_IP"
NAS-Identifier = "OpenVpn"
Acct-Session-Id = "CC0B4006AA7BD6A20E7940D398CA8A27"
NAS-Port-Type = Virtual
# Executing section authorize from file /opt/radiusd/conf/radiusd.conf
+group authorize {
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
rlm_openotp: Invalid "User-Password" attribute (bad format or wrong RADIUS secret)
++[openotp] = invalid
+} # group authorize = invalid
Invalid user: [taphilix-dev/\270E\237\366Xm\302s\022\254\242\264\216\236+\301\003\036\177\024\241\233\357\230`g/\2036\036}1֭\007ս\317b)\306y\357\355ش] (from client 0.0.0.0/0 port 1 cli <PublicIP>)
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
Sending Access-Reject of id 119 to 10.0.0.127 port 37454
Finished request 3.
Going to the next request
Waking up in 9.9 seconds.
Cleaning up request 3 ID 119 with timestamp +505
Suspecting whether the Password is getting garbled or not
Please find the contents of radiusplugin.cnf
Code: Select all
NAS-Identifier=OpenVpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=127.0.0.1
OpenVPNConfig=/etc/openvpn/server.conf
overwriteccfiles=true
nonfatalaccounting=false
server
{
name=127.0.0.1
acctport=1813
authport=1812
retry=3
wait=3
sharedsecret = testing
}
Code: Select all
[root@ip-10-0-0-127 radiusplugin_v2.0c_beta]# egrep -v "#" /opt/radiusd/conf/clients.conf
client 0.0.0.0/0 {
secret = testing
}
Can someone please help me to fix this issue ?
Thanks
Philix