Hi,
I'm new in the forum.
I authenticate remote roadwarrior via PAM Radius successfully. But with some of this clients I need the possibility to check the Calling-Station-ID on the Radius Server. I've tryied, but with no success.
The pam_radius_auth.so can send the Calling-Station-ID if the PAM_RHOST is set-up by service (openvpn in this case), but this variable is not set up by OpenVPN (or auth_pam plugin, I don't know).
It's possibile to find a workaround or/and can you modify source code to implement this functionality?
Another minor question: is it possible to authenticate a client with username, password and certificate but with a check on sameness about username and CN of certificate?
Thanks in advance
P.S.: I've written in this Topic because for me is an Authentication Script issue, but maybe for you is better in Wishlist Topic.
auth_pam + pam_radius_auth.so + Calling-Station-ID
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
davide.belloni
- OpenVpn Newbie
- Posts: 9
- Joined: Wed Feb 15, 2012 4:09 pm
-
xauen
- Forum Team
- Posts: 80
- Joined: Tue May 10, 2011 7:57 pm
- Location: Manila, Philippines
- Contact:
Re: auth_pam + pam_radius_auth.so + Calling-Station-ID
Hi,
It should be automatically relayed from the NAS to radius server.
Please post your server config here.
Please post client config here.
Please post radiusplugin.cnf here.
Please post your radiusd.conf here.
*all without comments to make it shorter.
It should be automatically relayed from the NAS to radius server.
Please post your server config here.
Please post client config here.
Please post radiusplugin.cnf here.
Please post your radiusd.conf here.
*all without comments to make it shorter.
"Never be bullied into silence. Never allow yourself to be made a victim. Accept no ones definition of you"
-IDK
-IDK
-
davide.belloni
- OpenVpn Newbie
- Posts: 9
- Joined: Wed Feb 15, 2012 4:09 pm
Re: auth_pam + pam_radius_auth.so + Calling-Station-ID
Hi,
SERVER:
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher AES-256-CBC
server <vpnnet> <mask>
local <IP>
lport <port>
topology subnet
mtu-disc yes
verb 1
mute 3
mlock
user openvpnd
group openvpnd
comp-lzo
client-config-dir ccd
chroot /openvpn-chroot
ca /openvpn/etc/certs/openvpn.ca
cert /openvpn/etc/certs/openvpn.cert
key /openvpn/etc/certs/openvpn.key
dh /openvpn/etc/certs/openvpn.dh
tls-auth /openvpn/etc/certs/ta.key
writepid /openvpn/var/run/openvpn.pid
plugin /openvpn/plugin/lib/openvpn-auth-pam.so openvpn
push "route <net> <mask>"
push "dhcp-option DNS <dns1>"
push "dhcp-option DNS <dns2>"
reneg-bytes 549755813888
reneg-pkts 536870912
reneg-sec 28800
tcp-nodelay
ccd-exclusive
max-clients 100
opt-verify
ns-cert-type client
crl-verify crl.pem
CLIENT:
client
dev tun
proto tcp
remote <IP> <port>
nobind
persist-key
persist-tun
ca ca.crt
tls-auth ta.key
cert sslcert.pem
key sslkey.pem
ns-cert-type server
comp-lzo
verb 3
cipher AES-256-CBC
auth-user-pass
auth-retry interact
auth-nocache
reneg-bytes 549755813888
reneg-pkts 536870912
reneg-sec 28800
connect-retry-max 3
RADIUSPLUGIN.CNF:
<RADIUS1> <secret> 3
<RADIUS1> <secret> 3
127.0.0.1 secret 1
Radiusd.conf it's not necessary because in debug mode radius server doesn't show the Calling-Station-ID between parameters send from an openvpn request, instead in a cisco IPSEC request this parameter is present (for example).
SERVER:
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher AES-256-CBC
server <vpnnet> <mask>
local <IP>
lport <port>
topology subnet
mtu-disc yes
verb 1
mute 3
mlock
user openvpnd
group openvpnd
comp-lzo
client-config-dir ccd
chroot /openvpn-chroot
ca /openvpn/etc/certs/openvpn.ca
cert /openvpn/etc/certs/openvpn.cert
key /openvpn/etc/certs/openvpn.key
dh /openvpn/etc/certs/openvpn.dh
tls-auth /openvpn/etc/certs/ta.key
writepid /openvpn/var/run/openvpn.pid
plugin /openvpn/plugin/lib/openvpn-auth-pam.so openvpn
push "route <net> <mask>"
push "dhcp-option DNS <dns1>"
push "dhcp-option DNS <dns2>"
reneg-bytes 549755813888
reneg-pkts 536870912
reneg-sec 28800
tcp-nodelay
ccd-exclusive
max-clients 100
opt-verify
ns-cert-type client
crl-verify crl.pem
CLIENT:
client
dev tun
proto tcp
remote <IP> <port>
nobind
persist-key
persist-tun
ca ca.crt
tls-auth ta.key
cert sslcert.pem
key sslkey.pem
ns-cert-type server
comp-lzo
verb 3
cipher AES-256-CBC
auth-user-pass
auth-retry interact
auth-nocache
reneg-bytes 549755813888
reneg-pkts 536870912
reneg-sec 28800
connect-retry-max 3
RADIUSPLUGIN.CNF:
<RADIUS1> <secret> 3
<RADIUS1> <secret> 3
127.0.0.1 secret 1
Radiusd.conf it's not necessary because in debug mode radius server doesn't show the Calling-Station-ID between parameters send from an openvpn request, instead in a cisco IPSEC request this parameter is present (for example).
-
davide.belloni
- OpenVpn Newbie
- Posts: 9
- Joined: Wed Feb 15, 2012 4:09 pm
Re: auth_pam + pam_radius_auth.so + Calling-Station-ID
Hi, some news about my question?
The problem is that NAS (OpenVPN + auth_pam + PAM) does not relay the Calling-Station-ID to radius server .
For the binding about CN and username I'll use the "auth-user-pass-verify" option (with the con that a script will be inserted in the chroot environment)
Thank you
The problem is that NAS (OpenVPN + auth_pam + PAM) does not relay the Calling-Station-ID to radius server .
For the binding about CN and username I'll use the "auth-user-pass-verify" option (with the con that a script will be inserted in the chroot environment)
Thank you