OpenVPN Server with Microsoft Azure MFA NPS extension

[stuhad]

We are trying to integrate Azure MFA on an OpenVPN 2.4.4 Server running on an Ubuntu 18.04.5 LTS VM

We have a Windows Server 2019 NPS server, with the OpenVPN Server configured as a RADIUS client and a network policy that allows access. We ensured that RADIUS access was successfully working prior to installing the Azure MFA extension on the NPS server.

After installing the NPS MFA extension our experience is this:

• client enters the username/password

• gets prompted on their phone for MFA

• approves the prompt

After which the OpenVPN client seems to wait, and then returns back to the login prompt with a Wrong credentials. Try again... message

We have confirmed that the NPS logs in Event Viewer still show that access is being Granted with the MFA extension enabled:

Code: Select all

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/12/2020 12:03:18 AM
Event ID:      6272
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      radiusserver
Description:
Network Policy Server granted access to a user.

User:
	Security ID:			Domain\admin
	Account Name:			admin@test.com.au
	Account Domain:			Domain
	Fully Qualified Account Name:	Domain\admin

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		client IP

NAS:
	NAS IPv4 Address:		openvpn server IP
	NAS IPv6 Address:		-
	NAS Identifier:			OpenVpn
	NAS Port-Type:			Virtual
	NAS Port:			1

RADIUS Client:
	Client Friendly Name:		VPN
	Client IP Address:			openvpn server IP

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		VPN
	Authentication Provider:		Windows
	Authentication Server:		radius server
	Authentication Type:		Extension
	EAP Type:			-
	Account Session Identifier:		4237304141324331313142354439433644334141383535373945364143364534
	Logging Results:			Accounting information was written to the local log file.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>6272</EventID>
    <Version>2</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2020-11-12T00:03:18.614518000Z" />
    <EventRecordID>2969</EventRecordID>
    <Correlation ActivityID="{1c191e12-ac99-0000-82d4-20fad3b7d601}" />
    <Execution ProcessID="712" ThreadID="772" />
    <Channel>Security</Channel>
    <Computer>radiusserver</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-832361468-1348258915-671347851-5615</Data>
    <Data Name="SubjectUserName">admin@test.com.au</Data>
    <Data Name="SubjectDomainName">DOMAIN</Data>
    <Data Name="FullyQualifiedSubjectUserName">DOMAIN\admin</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="CalledStationID">-</Data>
    <Data Name="CallingStationID">clientIP</Data>
    <Data Name="NASIPv4Address">openVPNIP</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">OpenVpn</Data>
    <Data Name="NASPortType">Virtual</Data>
    <Data Name="NASPort">1</Data>
    <Data Name="ClientName">VPN</Data>
    <Data Name="ClientIPAddress">openVPNIP</Data>
    <Data Name="ProxyPolicyName">Use Windows authentication for all users</Data>
    <Data Name="NetworkPolicyName">VPN</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">radiusserver</Data>
    <Data Name="AuthenticationType">Extension</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">4237304141324331313142354439433644334141383535373945364143364534</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>

but we have noted Accounting errors when tailing the OpenVPN logs:
Example of failed connection with MFA Extension enabled:

Code: Select all

Thu Nov 12 00:13:31 2020 RADIUS-PLUGIN: FOREGROUND: Add user for accounting: username: admin@test.com.au, commonname: client1
Thu Nov 12 00:13:31 2020 RADIUS-PLUGIN: BACKGROUND ACCT: Get a command.
Thu Nov 12 00:13:31 2020 RADIUS-PLUGIN: BACKGROUND ACCT: New User.
Thu Nov 12 00:13:31 2020 RADIUS-PLUGIN: BACKGROUND ACCT: New user acct: username: admin@test.com.au, interval: 0, calling station: 203.213.108.131, commonname: client1, framed ip: 10.8.0.6.
Thu Nov 12 00:14:11 2020 RADIUS-PLUGIN: BACKGROUND ACCT: Error: Start packet couldn't send.
 
!
Thu Nov 12 00:14:11 2020 Error: RADIUS-PLUGIN: FOREGROUND: Accounting failed for user:admin@test.com.au!
 
Thu Nov 12 00:14:11 2020 us=226645 client1/203.213.108.131:63903 PLUGIN_CALL: POST /usr/lib/openvpn/radiusplugin.so/PLUGIN_CLIENT_CONNECT status=1
Thu Nov 12 00:14:11 2020 us=226656 client1/203.213.108.131:63903 PLUGIN_CALL: plugin function PLUGIN_CLIENT_CONNECT failed with status 1: /usr/lib/openvpn/radiusplugin.so
Thu Nov 12 00:14:11 2020 us=226665 client1/203.213.108.131:63903 WARNING: client-connect plugin call failed
Thu Nov 12 00:14:11 2020 us=226812 client1/203.213.108.131:63903 PUSH: Received control message: 'PUSH_REQUEST'

Example of successful connection with MFA Extension disabled:

Code: Select all

Thu Nov 12 00:26:57 2020 RADIUS-PLUGIN: FOREGROUND: Add user for accounting: username: admin@test.com.au, commonname: client1
Thu Nov 12 00:26:57 2020 RADIUS-PLUGIN: BACKGROUND ACCT: Get a command.
Thu Nov 12 00:26:57 2020 RADIUS-PLUGIN: BACKGROUND ACCT: New User.
Thu Nov 12 00:26:57 2020 RADIUS-PLUGIN: BACKGROUND ACCT: New user acct: username: admin@test.com.au, interval: 0, calling station: 203.213.108.131, commonname: client1, framed ip: 10.8.0.6.
Thu Nov 12 00:26:57 2020 RADIUS-PLUGIN: BACKGROUND-ACCT: Get ACCOUNTING_RESPONSE-Packet.
Thu Nov 12 00:26:57 2020 RADIUS-PLUGIN: BACKGROUND ACCT: Start packet was send.
Thu Nov 12 00:26:57 2020 RADIUS-PLUGIN: BACKGROUND ACCT: User was added to accounting scheduler.
Thu Nov 12 00:26:57 2020 RADIUS-PLUGIN: BACKGROUND-ACCT: No routes for user.
Thu Nov 12 00:26:57 2020 RADIUS-PLUGIN: FOREGROUND: Accouting succeeded!

To me it seems like we are simply not receiving the required:

Code: Select all

Get ACCOUNTING_RESPONSE-Packet.

from the the NPS server when the MFA extension is enabled.

However, Microsoft support are suggesting that the NPS server and the MFA extension are working correctly and that "we have to engage VPN side support to check why VPN authentication failure given the Azure MFA success response and AccessAccept state"

openvpn --version

Code: Select all

$ openvpn --version
OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

server.conf

View OriginalServer config

1

2

3

# Which local IP address should OpenVPN

4

5

# listen on? (optional)

6

7

;local a.b.c.d

8

9

10

11

# Which TCP/UDP port should OpenVPN listen on?

12

13

# If you want to run multiple OpenVPN instances

14

15

# on the same machine, use a different port

16

17

# number for each one. You will need to

18

19

# open up this port on your firewall.

20

21

port 1194

22

23

24

25

# Plugins

26

27

plugin /usr/lib/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf

28

29

30

31

# TCP or UDP server?

32

33

;proto tcp

34

35

proto udp

36

37

38

39

# "dev tun" will create a routed IP tunnel,

40

41

# "dev tap" will create an ethernet tunnel.

42

43

# Use "dev tap0" if you are ethernet bridging

44

45

# and have precreated a tap0 virtual interface

46

47

# and bridged it with your ethernet interface.

48

49

# If you want to control access policies

50

51

# over the VPN, you must create firewall

52

53

# rules for the the TUN/TAP interface.

54

55

# On non-Windows systems, you can give

56

57

# an explicit unit number, such as tun0.

58

59

# On Windows, use "dev-node" for this.

60

61

# On most systems, the VPN will not function

62

63

# unless you partially or fully disable

64

65

# the firewall for the TUN/TAP interface.

66

67

;dev tap

68

69

dev tun

70

71

72

73

# Windows needs the TAP-Win32 adapter name

74

75

# from the Network Connections panel if you

76

77

# have more than one. On XP SP2 or higher,

78

79

# you may need to selectively disable the

80

81

# Windows firewall for the TAP adapter.

82

83

# Non-Windows systems usually don't need this.

84

85

;dev-node MyTap

86

87

88

89

# SSL/TLS root certificate (ca), certificate

90

91

# (cert), and private key (key). Each client

92

93

# and the server must have their own cert and

94

95

# key file. The server and all clients will

96

97

# use the same ca file.

98

99

#

100

101

# See the "easy-rsa" directory for a series

102

103

# of scripts for generating RSA certificates

104

105

# and private keys. Remember to use

106

107

# a unique Common Name for the server

108

109

# and each of the client certificates.

110

111

#

112

113

# Any X509 key management system can be used.

114

115

# OpenVPN can also use a PKCS #12 formatted key file

116

117

# (see "pkcs12" directive in man page).

118

119

ca ca.crt

120

121

cert server.crt

122

123

key server.key # This file should be kept secret

124

125

126

127

# Diffie hellman parameters.

128

129

# Generate your own with:

130

131

# openssl dhparam -out dh2048.pem 2048

132

133

dh dh.pem

134

135

136

137

# Network topology

138

139

# Should be subnet (addressing via IP)

140

141

# unless Windows clients v2.0.9 and lower have to

142

143

# be supported (then net30, i.e. a /30 per client)

144

145

# Defaults to net30 (not recommended)

146

147

;topology subnet

148

149

150

151

# Configure server mode and supply a VPN subnet

152

153

# for OpenVPN to draw client addresses from.

154

155

# The server will take 10.8.0.1 for itself,

156

157

# the rest will be made available to clients.

158

159

# Each client will be able to reach the server

160

161

# on 10.8.0.1. Comment this line out if you are

162

163

# ethernet bridging. See the man page for more info.

164

165

server 10.8.0.0 255.255.255.0

166

167

168

169

# Maintain a record of client <-> virtual IP address

170

171

# associations in this file. If OpenVPN goes down or

172

173

# is restarted, reconnecting clients can be assigned

174

175

# the same virtual IP address from the pool that was

176

177

# previously assigned.

178

179

ifconfig-pool-persist /var/log/openvpn/ipp.txt

180

181

182

183

# Configure server mode for ethernet bridging.

184

185

# You must first use your OS's bridging capability

186

187

# to bridge the TAP interface with the ethernet

188

189

# NIC interface. Then you must manually set the

190

191

# IP/netmask on the bridge interface, here we

192

193

# assume 10.8.0.4/255.255.255.0. Finally we

194

195

# must set aside an IP range in this subnet

196

197

# (start=10.8.0.50 end=10.8.0.100) to allocate

198

199

# to connecting clients. Leave this line commented

200

201

# out unless you are ethernet bridging.

202

203

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

204

205

206

207

# Configure server mode for ethernet bridging

208

209

# using a DHCP-proxy, where clients talk

210

211

# to the OpenVPN server-side DHCP server

212

213

# to receive their IP address allocation

214

215

# and DNS server addresses. You must first use

216

217

# your OS's bridging capability to bridge the TAP

218

219

# interface with the ethernet NIC interface.

220

221

# Note: this mode only works on clients (such as

222

223

# Windows), where the client-side TAP adapter is

224

225

# bound to a DHCP client.

226

227

;server-bridge

228

229

230

231

# Push routes to the client to allow it

232

233

# to reach other private subnets behind

234

235

# the server. Remember that these

236

237

# private subnets will also need

238

239

# to know to route the OpenVPN client

240

241

# address pool (10.8.0.0/255.255.255.0)

242

243

# back to the OpenVPN server.

244

245

;push "route 192.168.20.0 255.255.255.0"

246

247

248

249

# To assign specific IP addresses to specific

250

251

# clients or if a connecting client has a private

252

253

# subnet behind it that should also have VPN access,

254

255

# use the subdirectory "ccd" for client-specific

256

257

# configuration files (see man page for more info).

258

259

260

261

# EXAMPLE: Suppose the client

262

263

# having the certificate common name "Thelonious"

264

265

# also has a small subnet behind his connecting

266

267

# machine, such as 192.168.40.128/255.255.255.248.

268

269

# First, uncomment out these lines:

270

271

;client-config-dir ccd

272

273

;route 192.168.40.128 255.255.255.248

274

275

# Then create a file ccd/Thelonious with this line:

276

277

# iroute 192.168.40.128 255.255.255.248

278

279

# This will allow Thelonious' private subnet to

280

281

# access the VPN. This example will only work

282

283

# if you are routing, not bridging, i.e. you are

284

285

# using "dev tun" and "server" directives.

286

287

288

289

# EXAMPLE: Suppose you want to give

290

291

# Thelonious a fixed VPN IP address of 10.9.0.1.

292

293

# First uncomment out these lines:

294

295

;client-config-dir ccd

296

297

;route 10.9.0.0 255.255.255.252

298

299

# Then add this line to ccd/Thelonious:

300

301

# ifconfig-push 10.9.0.1 10.9.0.2

302

303

304

305

# Suppose that you want to enable different

306

307

# firewall access policies for different groups

308

309

# of clients. There are two methods:

310

311

# (1) Run multiple OpenVPN daemons, one for each

312

313

# group, and firewall the TUN/TAP interface

314

315

# for each group/daemon appropriately.

316

317

# (2) (Advanced) Create a script to dynamically

318

319

# modify the firewall in response to access

320

321

# from different clients. See man

322

323

# page for more info on learn-address script.

324

325

;learn-address ./script

326

327

328

329

# If enabled, this directive will configure

330

331

# all clients to redirect their default

332

333

# network gateway through the VPN, causing

334

335

# all IP traffic such as web browsing and

336

337

# and DNS lookups to go through the VPN

338

339

# (The OpenVPN server machine may need to NAT

340

341

# or bridge the TUN/TAP interface to the internet

342

343

# in order for this to work properly).

344

345

;push "redirect-gateway def1 bypass-dhcp"

346

347

348

349

# Certain Windows-specific network settings

350

351

# can be pushed to clients, such as DNS

352

353

# or WINS server addresses. CAVEAT:

354

355

# http://openvpn.net/faq.html#dhcpcaveats

356

357

# The addresses below refer to the public

358

359

# DNS servers provided by opendns.com.

360

361

362

363

# Uncomment this directive to allow different

364

365

# clients to be able to "see" each other.

366

367

# By default, clients will only see the server.

368

369

# To force clients to only see the server, you

370

371

# will also need to appropriately firewall the

372

373

# server's TUN/TAP interface.

374

375

;client-to-client

376

377

378

379

# Uncomment this directive if multiple clients

380

381

# might connect with the same certificate/key

382

383

# files or common names. This is recommended

384

385

# only for testing purposes. For production use,

386

387

# each client should have its own certificate/key

388

389

# pair.

390

391

#

392

393

# IF YOU HAVE NOT GENERATED INDIVIDUAL

394

395

# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

396

397

# EACH HAVING ITS OWN UNIQUE "COMMON NAME",

398

399

# UNCOMMENT THIS LINE OUT.

400

401

;duplicate-cn

402

403

404

405

# The keepalive directive causes ping-like

406

407

# messages to be sent back and forth over

408

409

# the link so that each side knows when

410

411

# the other side has gone down.

412

413

# Ping every 10 seconds, assume that remote

414

415

# peer is down if no ping received during

416

417

# a 120 second time period.

418

419

keepalive 10 120

420

421

422

423

# For extra security beyond that provided

424

425

# by SSL/TLS, create an "HMAC firewall"

426

427

# to help block DoS attacks and UDP port flooding.

428

429

#

430

431

# Generate with:

432

433

# openvpn --genkey --secret ta.key

434

435

#

436

437

# The server and each client must have

438

439

# a copy of this key.

440

441

# The second parameter should be '0'

442

443

# on the server and '1' on the clients.

444

445

tls-auth ta.key 0 # This file is secret

446

447

448

449

# Select a cryptographic cipher.

450

451

# This config item must be copied to

452

453

# the client config file as well.

454

455

# Note that v2.4 client/server will automatically

456

457

# negotiate AES-256-GCM in TLS mode.

458

459

# See also the ncp-cipher option in the manpage

460

461

cipher AES-256-CBC

462

463

auth SHA256

464

465

466

467

# Enable compression on the VPN link and push the

468

469

# option to the client (v2.4+ only, for earlier

470

471

# versions see below)

472

473

;compress lz4-v2

474

475

;push "compress lz4-v2"

476

477

478

479

# For compression compatible with older clients use comp-lzo

480

481

# If you enable it here, you must also

482

483

# enable it in the client config file.

484

485

;comp-lzo

486

487

488

489

# The maximum number of concurrently connected

490

491

# clients we want to allow.

492

493

;max-clients 100

494

495

496

497

# It's a good idea to reduce the OpenVPN

498

499

# daemon's privileges after initialization.

500

501

#

502

503

# You can uncomment this out on

504

505

# non-Windows systems.

506

507

user nobody

508

509

group nogroup

510

511

512

513

# The persist options will try to avoid

514

515

# accessing certain resources on restart

516

517

# that may no longer be accessible because

518

519

# of the privilege downgrade.

520

521

persist-key

522

523

persist-tun

524

525

526

527

# Output a short status file showing

528

529

# current connections, truncated

530

531

# and rewritten every minute.

532

533

status /var/log/openvpn/openvpn-status.log

534

535

536

537

# By default, log messages will go to the syslog (or

538

539

# on Windows, if running as a service, they will go to

540

541

# the "\Program Files\OpenVPN\log" directory).

542

543

# Use log or log-append to override this default.

544

545

# "log" will truncate the log file on OpenVPN startup,

546

547

# while "log-append" will append to it. Use one

548

549

# or the other (but not both).

550

551

log /var/log/openvpn/openvpn.log

552

553

log-append /var/log/openvpn/openvpn.log

554

555

556

557

# Set the appropriate level of log

558

559

# file verbosity.

560

561

#

562

563

# 0 is silent, except for fatal errors

564

565

# 4 is reasonable for general usage

566

567

# 5 and 6 can help to debug connection problems

568

569

# 9 is extremely verbose

570

571

verb 5

572

573

574

575

# Silence repeating messages. At most 20

576

577

# sequential messages of the same message

578

579

# category will be output to the log.

580

581

;mute 20

582

583

584

585

# Notify the client that when the server restarts so it

586

587

# can automatically reconnect.

588

589

explicit-exit-notify 1

590

591

592

593

#Modification:

594

595

reneg-sec 0

596

1

port 1194

2

plugin /usr/lib/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf

3

proto udp

4

dev tun

5

ca ca.crt

6

cert server.crt

7

key server.key

8

dh dh.pem

9

server 10.8.0.0 255.255.255.0

10

ifconfig-pool-persist /var/log/openvpn/ipp.txt

11

keepalive 10 120

12

tls-auth ta.key 0

13

cipher AES-256-CBC

14

auth SHA256

15

user nobody

16

group nogroup

17

persist-key

18

persist-tun

19

status /var/log/openvpn/openvpn-status.log

20

log /var/log/openvpn/openvpn.log

21

log-append /var/log/openvpn/openvpn.log

22

verb 5

23

explicit-exit-notify 1

24

reneg-sec 0

radiusplugin.cnf

Code: Select all

NAS-Identifier=OpenVpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=local IP of OpenVPN server
OpenVPNConfig=/etc/openvpn/server.conf   # OpenVPN configuration file
overwriteccfiles=true
nonfatalaccounting=true
server
{
acctport=1813                     # RADIUS accounting port
authport=1812                     # RADIUS authentication port
name=local IP of RADIUS server                    # RADIUS IP
        retry=1
        wait=60
        sharedsecret=editedout              # Key is used between FreeRADIUS and OpenVPN
}

Does anyone have any experience with Integrating the Azure MFA NPS extension with OpenVPN? Do these logs shed any light on where the issue might lie?

Any help that you can provide would be greatly appreciated.

Thanks,

[TinCanTech]

Thu Nov 12 00:13:31 2020 RADIUS-PLUGIN: FOREGROUND: Add user for accounting: username: admin@test.com.au, commonname: client1
Thu Nov 12 00:13:31 2020 RADIUS-PLUGIN: BACKGROUND ACCT: Get a command.
Thu Nov 12 00:13:31 2020 RADIUS-PLUGIN: BACKGROUND ACCT: New User.
Thu Nov 12 00:13:31 2020 RADIUS-PLUGIN: BACKGROUND ACCT: New user acct: username: admin@test.com.au, interval: 0, calling station: 203.213.108.131, commonname: client1, framed ip: 10.8.0.6.
Thu Nov 12 00:14:11 2020 RADIUS-PLUGIN: BACKGROUND ACCT: Error: Start packet couldn't send.

!
Thu Nov 12 00:14:11 2020 Error: RADIUS-PLUGIN: FOREGROUND: Accounting failed for user:admin@test.com.au!

Thu Nov 12 00:14:11 2020 us=226645 client1/203.213.108.131:63903 PLUGIN_CALL: POST /usr/lib/openvpn/radiusplugin.so/PLUGIN_CLIENT_CONNECT status=1

[stuhad]

Not quite sure what you are trying to point out sorry, I have tried searching these errors and haven't had much luck.

In terms of the version of the RADIUS plugin:

Code: Select all

openvpn-auth-radius/bionic,now 2.1-6build1 amd64 [installed]

[TinCanTech]

We are trying to integrate Azure MFA on an OpenVPN 2.4.4 Server running on an Ubuntu 18.04.5 LTS VM

We have a Windows Server 2019 NPS server, with the OpenVPN Server configured as a RADIUS client and a network policy that allows access. We ensured that RADIUS access was successfully working prior to installing the Azure MFA extension on the NPS server.

Thu Nov 12 00:13:31 2020 RADIUS-PLUGIN: FOREGROUND: Add user for accounting: username: admin@test.com.au, commonname: client1
Thu Nov 12 00:13:31 2020 RADIUS-PLUGIN: BACKGROUND ACCT: Get a command.
Thu Nov 12 00:13:31 2020 RADIUS-PLUGIN: BACKGROUND ACCT: New User.
Thu Nov 12 00:13:31 2020 RADIUS-PLUGIN: BACKGROUND ACCT: New user acct: username: admin@test.com.au, interval: 0, calling station: 203.213.108.131, commonname: client1, framed ip: 10.8.0.6.
Thu Nov 12 00:14:11 2020 RADIUS-PLUGIN: BACKGROUND ACCT: Error: Start packet couldn't send.

!
Thu Nov 12 00:14:11 2020 Error: RADIUS-PLUGIN: FOREGROUND: Accounting failed for user:admin@test.com.au!

Thu Nov 12 00:14:11 2020 us=226645 client1/203.213.108.131:63903 PLUGIN_CALL: POST /usr/lib/openvpn/radiusplugin.so/PLUGIN_CLIENT_CONNECT status=1

Not quite sure what you are trying to point out sorry, I have tried searching these errors and haven't had much luck.

In terms of the version of the RADIUS plugin:

Code: Select all

openvpn-auth-radius/bionic,now 2.1-6build1 amd64 [installed]

This has nothing to do with OpenVPN ..

[Pippin]

Indeed looks like off topic.

OpenVPN handoff auth and waits for success message back.
Standalone Radius succeeds.
Standalone MFA succeeds.

First, I have no experience with MFA.
If I understand the "flow" for your Radius/MFA it's like:
OpenVPN -> Radius -> MFA -> Radius -> OpenVPN

I would think MFA is unable to talk back to Radius.
Check port 1813...

[stuhad]

Thanks guys, sorry about using the wrong forum.

If I understand the "flow" for your Radius/MFA it's like:
OpenVPN -> Radius -> MFA -> Radius -> OpenVPN

Yes, it is my understanding that the flow is as you have described, and therefore I would have thought that if it was a firewall/port issue then the connection would also fail with the MFA extension disabled, and so again I don't fully understand why there would be any need to change anything in the RADIUS conf on our OpenVPN server except maybe the timeout to ensure enough time for NPS to respond after MFA challenge.

Was really posting here as a last ditch effort in the hopes other users had already solved my problem somehow, I'm continuing to ask Microsoft support for further clarification and assistance, I'll post if I do find a resolution.

[apu]

Hi stuhad

Did you ever solve this? I'm about to roll this out and wondering if you got a resolution or it didn't end up working passing the request?

Thanks

[apu]

Thanks guys, sorry about using the wrong forum.

If I understand the "flow" for your Radius/MFA it's like:
OpenVPN -> Radius -> MFA -> Radius -> OpenVPN

Yes, it is my understanding that the flow is as you have described, and therefore I would have thought that if it was a firewall/port issue then the connection would also fail with the MFA extension disabled, and so again I don't fully understand why there would be any need to change anything in the RADIUS conf on our OpenVPN server except maybe the timeout to ensure enough time for NPS to respond after MFA challenge.

Was really posting here as a last ditch effort in the hopes other users had already solved my problem somehow, I'm continuing to ask Microsoft support for further clarification and assistance, I'll post if I do find a resolution.

Hi stuhad - any update to this?

[some1here]

Hi everyone,

same exact problem here, running openvpn 2.4.4-2ubuntu1.5 on Ubuntu 18.04.1 LTS
and openvpn-auth-radius 2.1-6build1. A pcap of the radius exchange shows the server
sending an Access-Accept packet identical to the one sent to non-MFA users.

I can log "auth succeded" messages on the VPN server but then connection is reset and
the auth process is restarted.

I couldn't find anything around here and the verb 9 logs didn't show anything obvious
(at least to me). Did someone fix this issue someway?

Thanks!
Me

[some1here]

Just in case someone is still struggling with this prob. I managed
to get the plugin working again by disabling the accounting ops in
UserAcct.cpp and recompiling.

Cheers,
Me

[diazed]

Some1here:

Hello, would you mind to share the instructions you followed to compile the UserAcct.cpp please?