OpenVPN Support Forum

Hi,
I'm new in the forum.
I authenticate remote roadwarrior via PAM Radius successfully. But with some of this clients I need the possibility to check the Calling-Station-ID on the Radius Server. I've tryied, but with no success.

The pam_radius_auth.so can send the Calling-Station-ID if the PAM_RHOST is set-up by service (openvpn in this case), but this variable is not set up by OpenVPN (or auth_pam plugin, I don't know).

It's possibile to find a workaround or/and can you modify source code to implement this functionality?

Another minor question: is it possible to authenticate a client with username, password and certificate but with a check on sameness about username and CN of certificate?

Thanks in advance

P.S.: I've written in this Topic because for me is an Authentication Script issue, but maybe for you is better in Wishlist Topic.

Hi,

It should be automatically relayed from the NAS to radius server.

Please post your server config here.
Please post client config here.
Please post radiusplugin.cnf here.
Please post your radiusd.conf here.

*all without comments to make it shorter.

Hi,

SERVER:
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher AES-256-CBC
server <vpnnet> <mask>
local <IP>
lport <port>
topology subnet
mtu-disc yes
verb 1
mute 3
mlock
user openvpnd
group openvpnd
comp-lzo
client-config-dir ccd
chroot /openvpn-chroot
ca /openvpn/etc/certs/openvpn.ca
cert /openvpn/etc/certs/openvpn.cert
key /openvpn/etc/certs/openvpn.key
dh /openvpn/etc/certs/openvpn.dh
tls-auth /openvpn/etc/certs/ta.key
writepid /openvpn/var/run/openvpn.pid
plugin /openvpn/plugin/lib/openvpn-auth-pam.so openvpn
push "route <net> <mask>"
push "dhcp-option DNS <dns1>"
push "dhcp-option DNS <dns2>"
reneg-bytes 549755813888
reneg-pkts 536870912
reneg-sec 28800
tcp-nodelay
ccd-exclusive
max-clients 100
opt-verify
ns-cert-type client
crl-verify crl.pem

CLIENT:
client
dev tun
proto tcp
remote <IP> <port>
nobind
persist-key
persist-tun
ca ca.crt
tls-auth ta.key
cert sslcert.pem
key sslkey.pem
ns-cert-type server
comp-lzo
verb 3
cipher AES-256-CBC
auth-user-pass
auth-retry interact
auth-nocache
reneg-bytes 549755813888
reneg-pkts 536870912
reneg-sec 28800
connect-retry-max 3

RADIUSPLUGIN.CNF:
<RADIUS1> <secret> 3
<RADIUS1> <secret> 3
127.0.0.1 secret 1

Radiusd.conf it's not necessary because in debug mode radius server doesn't show the Calling-Station-ID between parameters send from an openvpn request, instead in a cisco IPSEC request this parameter is present (for example).

Hi, some news about my question?
The problem is that NAS (OpenVPN + auth_pam + PAM) does not relay the Calling-Station-ID to radius server .

For the binding about CN and username I'll use the "auth-user-pass-verify" option (with the con that a script will be inserted in the chroot environment)

Thank you