[Solved] Openvpn Auth failure

[philixta]

Hi

We are configuring a OpenVPN with OpenOTP feature . We are in a blocker where after passing Username / Password+OTP is failing.

Following is the error that Radius server is reporting , Thu Mar 30 10:56:27 2017 : Auth: Invalid user: [UserName/\261\262U\211X׹/\006g\220\3611S{Zn\342\230\307\350͑Z\220&\t{\373{Ђo\324\001\345\312\016=Q|iP#\236\206\3409] (from client 0.0.0.0/0 port 1 cli Client Public IP)

Please find the

Code: Select all

Server.conf

port 1194
proto udp
dev tun1
fragment 1400
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 5.5.32.0 255.255.255.0
comp-lzo no
user nobody
group users
persist-key
persist-tun
status /var/log/openvpn-status.log
duplicate-cn
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
tmp-dir "/etc/openvpn/tmp/"                      
log /var/log/openvpn.log
mode server
tls-server
verb 7
cipher AES-256-CBC
#auth MD5
#link-mtu 1500
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.8.4"
#client-to-client 
duplicate-cn
local  10.0.0.127 
ifconfig-pool-persist ipp.txt
push "persist-key"
push "persist-tun"
ifconfig 5.5.32.1 5.5.32.2
keysize 256
dev-type tun
#auth-user-pass-verify
#plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
#
tun-mtu 1500

Code: Select all

Client Conf 

auth SHA1
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
client
comp-lzo no
fragment 1400
dev tun0
keysize 256
persist-key
persist-tun
ping 15
ping-exit 15
ping-restart 0
proto udp
remote VPNSERVER 1194 udp
tls-client
verb 3
resolv-retry infinite
key client.key
ns-cert-type server
#script-security 2
#up /etc/openvpn/update-resolv-conf.sh
#down /etc/openvpn/update-resolv-conf.sh
redirect-gateway def1 bypass-dhcp
pull
nobind
dev-type tun
#link-mtu 1558
mssfix
setenv FORWARD_COMPATIBLE 1
ifconfig 5.5.32.2 5.5.32.1
#tun-mtu-extra 32
tun-mtu 1500

Further running the Radius Server in debug following was captured

rad_recv: Access-Request packet from host 10.0.0.127 port 37454, id=119, length=167
User-Name = "UserNAME"
User-Password = "\270E\237\366Xm\302s\022\254\242\264\216\236+\301\003\036\177\024\241\233\357\230`g/\2036\036}1֭\007ս\317b)\306y\357͹\355ش"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Service-Type = Outbound-User
Calling-Station-Id = "Public_IP"
NAS-Identifier = "OpenVpn"
Acct-Session-Id = "CC0B4006AA7BD6A20E7940D398CA8A27"
NAS-Port-Type = Virtual
# Executing section authorize from file /opt/radiusd/conf/radiusd.conf
+group authorize {
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
rlm_openotp: Invalid "User-Password" attribute (bad format or wrong RADIUS secret)
++[openotp] = invalid
+} # group authorize = invalid
Invalid user: [taphilix-dev/\270E\237\366Xm\302s\022\254\242\264\216\236+\301\003\036\177\024\241\233\357\230`g/\2036\036}1֭\007ս\317b)\306y\357͹\355ش] (from client 0.0.0.0/0 port 1 cli <PublicIP>)
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
Sending Access-Reject of id 119 to 10.0.0.127 port 37454
Finished request 3.
Going to the next request
Waking up in 9.9 seconds.
Cleaning up request 3 ID 119 with timestamp +505

Suspecting whether the Password is getting garbled or not

Please find the contents of radiusplugin.cnf

Code: Select all

NAS-Identifier=OpenVpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=127.0.0.1
OpenVPNConfig=/etc/openvpn/server.conf
overwriteccfiles=true
nonfatalaccounting=false
server
{
   name=127.0.0.1
   acctport=1813
   authport=1812
   retry=3
   wait=3
   sharedsecret = testing
}

Please find the contents of Client.conf and Shared Secret is the same

Code: Select all

[root@ip-10-0-0-127 radiusplugin_v2.0c_beta]# egrep -v "#"   /opt/radiusd/conf/clients.conf
client 0.0.0.0/0 {
	secret		= testing
}

Not sure what need to be checked further

Can someone please help me to fix this issue ?

Thanks
Philix

[TiTex]

is your RADIUS server on the same box as your vpnserver ?

Code: Select all

client 0.0.0.0/0 {
   secret      = testing
}

shouldn't this be ?

Code: Select all

client 127.0.0.1 {
   secret      = testing
   nastype = other
   shortname = OpenVpn
   }

you can also install freeradius utilities and test if it works from the command line.

[philixta]

Hi Titex

Thank you so much for the update

Yes Radius server works on the same box of VPNServer

Tried the following conf which hasn't helped

Code: Select all

client 127.0.0.1 {
   secret      = testing
   nastype = other
   shortname = OpenVpn
   }

Currently trying with FreeRadius utilities

Regards
Philix

[philixta]

OpenVPN started to work , after finding the Password from OpenVPN is hashed and not recognizable by the Radius server

Now Server and Client is in sync on AUTH MD5 and password is recognizable by Radius server and its working ok

THanks all for your help

We can close this thread for your help

Philix

[TinCanTech]

OpenVPN started to work , after finding the Password from OpenVPN is hashed

Is the hashing performed by

plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf

the radius plugin ?

[cheuk3]

OpenVPN started to work , after finding the Password from OpenVPN is hashed and not recognizable by the Radius server

Now Server and Client is in sync on AUTH MD5 and password is recognizable by Radius server and its working ok

THanks all for your help

We can close this thread for your help

Philix

Hi Im facing this problem also, how did you get the password hashed? Thanks!