RADIUS-PLUGIN: BACKGROUND ACCT: Error: Start packet couldn't send.
Teddy Azta
Cornelius Kölbel
please provide some more information:
Which distribution are you running on?
Which version of FreeRADIUS?
Start freeRADIUS in Debug mode (-X) and take a look at the output.
This may give you an additional clue.
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html?highlight=radclient#freeradius-plugin
Take a lock at the privacyIDEA audit log.
Kind regards
Cornelius
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/0c02206a-7603-4462-8c2b-cdfff2a8b9c1%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Teddy Azta
Sending Access-Request of id 160 to 172.16.114.139 port 1812
User-Name = "teddy"
Password = "1234095237"
rad_recv: Access-Accept packet from host 172.16.114.139 port 1812, id=160, length=48
Reply-Message = "privacyIDEA access granted"
Total approved auths: 1
Total denied auths: 0
Total lost auths: 0
Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND: OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY is called.
Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND: Key: 172.16.114.1:52042.
Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user from OpenVPN!
Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user.
Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user: username: teddy, password: *****, newuser ip: 172.16.114.1, newuser port: 52042 .
Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: BACKGROUND AUTH: New user auth: username: teddy, password: *****, calling station: 172.16.114.1, commonname: client_vpnuin.
Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: radius_server().
Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: Build password packet: password: *****, sharedSecret: *****.
Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: Send packet to 127.0.0.1.
Thu Sep 17 18:21:11 2015 RADIUS-PLUGIN: Got no response from radius server.
Thu Sep 17 18:21:11 2015 Thu Sep 17 18:21:11 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Error receiving auth confirmation from background process.
Thu Sep 17 18:21:11 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Waiting for new user.
Error: RADIUS-PLUGIN: BACKGROUND AUTH: Auth failed!.
Thu Sep 17 18:21:11 2015 us=503093 172.16.114.1:52042 PLUGIN_CALL: POST /usr/lib/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Thu Sep 17 18:21:11 2015 us=503119 172.16.114.1:52042 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/radiusplugin.so
Thu Sep 17 18:21:11 2015 us=503166 172.16.114.1:52042 TLS Auth Error: Auth Username/Password verification failed for peer
Cornelius Kölbel
look at the output of freeradius -X.
OpenVPN claims it gets no response from the radius server.
So the logical step is, to investigate the RADIUS service.
Kind regards
Cornelius
Teddy Azta
freeradius -X debug :
rad_recv: Access-Request packet from host 172.16.114.139 port 60198, id=182, length=126
User-Name = "teddy"
User-Password = "1234089024"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Service-Type = Outbound-User
Calling-Station-Id = "172.16.114.1"
NAS-Identifier = "OpenVpn"
Acct-Session-Id = "8EA9045C3B62D32402673699DC5B79B5"
NAS-Port-Type = Sync
# Executing section authorize from file /etc/freeradius/sites-enabled/privacyidea
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "teddy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "teddy", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = Perl
# Executing group from file /etc/freeradius/sites-enabled/privacyidea
+- entering group Perl {...}
rlm_perl: Config File /etc/privacyIDEA/rlm_perl.ini not found!
rlm_perl: Default URL https://127.0.0.1/validate/check
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Warning:
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://127.0.0.1/validate/check
rlm_perl: user sent to privacyidea: teddy
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea: 127.0.0.1
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam user
rlm_perl: urlparam client
rlm_perl: urlparam pass
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA access granted
rlm_perl: return RLM_MODULE_OK
rlm_perl: Added pair Acct-Session-Id = 8EA9045C3B62D32402673699DC5B79B5
rlm_perl: Added pair NAS-Identifier = OpenVpn
rlm_perl: Added pair User-Name = teddy
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Calling-Station-Id = 172.16.114.1
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair NAS-Port-Type = Sync
rlm_perl: Added pair Service-Type = Outbound-User
rlm_perl: Added pair User-Password = 1234089024
rlm_perl: Added pair Reply-Message = privacyIDEA access granted
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept of id 182 to 172.16.114.139 port 60198
Reply-Message = "privacyIDEA access granted"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 172.16.114.139 port 43129, id=36, length=126
User-Name = "teddy"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Service-Type = Outbound-User
Framed-Protocol = PPP
Framed-IP-Address = 10.29.9.6
Calling-Station-Id = "172.16.114.1"
NAS-Identifier = "OpenVpn"
Acct-Status-Type = Start
Acct-Session-Id = "8EA9045C3B62D32402673699DC5B79B5"
NAS-Port-Type = Sync
# Executing section preacct from file /etc/freeradius/sites-enabled/privacyidea
+- entering group preacct {...}
[suffix] No '@' in User-Name = "teddy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
WARNING: Empty accounting section. Using default return values.
Finished request 1.
Cleaning up request 1 ID 36 with timestamp +21
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 172.16.114.139 port 43233, id=36, length=126
User-Name = "teddy"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Service-Type = Outbound-User
Framed-Protocol = PPP
Framed-IP-Address = 10.29.9.6
Calling-Station-Id = "172.16.114.1"
NAS-Identifier = "OpenVpn"
Acct-Status-Type = Start
# Executing section preacct from file /etc/freeradius/sites-enabled/privacyidea
+- entering group preacct {...}
[suffix] No '@' in User-Name = "teddy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
WARNING: Empty accounting section. Using default return values.
Jochen Hein
> there's something wrong with accounting freeradius.
> FYI, port 1813 has already opened.
--- a/freeradius/sites-available/privacyidea
+++ b/freeradius/sites-available/privacyidea
@@ -25,6 +25,7 @@ preacct {
}
accounting {
+ detail
}
Maybe that should be default?
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
Cornelius Kölbel
have you tried as Jochen suggested to add this to the accounting
section?
We see in the log you sent, the the FreeRADIUS authenticates
successfully.
You should now check the OpenVPN log, if there are some entries about
the OpenVPN-FreeRADIUS plugin.
Did you ever think about using the OpenVPN PAM-Plugin?
Kind regards
Cornelius
Teddy Azta
Hi Jochen,
Cornelius Kölbel
So the best way to always add OTP is to have a running setup with
passwords and then add OTP. This is easier to rule out other problems.
In you case there is a problem between the FeeeRADIUS and the OpenVPN
Plugin, that is not connected with authentication.
Without digging into it, I do not know, what this is.
Yes, you can use PAM, which is much simpler, since you do not require
the additional RADIUS server:
http://privacyidea.readthedocs.org/en/latest/application_plugins/openvpn.html
Kind regards
Cornelius
Am Samstag, den 19.09.2015, 23:02 -0700 schrieb Teddy Azta:
> Hi Jochen and Cornelius,
>
>
> I've tried jochen suggested. but it still gets some erros about
> accounting.
>
>
> here is my openvpn.log :
>
>
> Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: FOREGROUND:
> OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY is called.
>
> Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: FOREGROUND: Key:
> 172.16.114.1:57634.
>
> Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user
> from OpenVPN!
>
> Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user.
>
> Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user:
>
> Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: BACKGROUND AUTH: New user
> commonname: client_vpnuin.
>
>
> Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: Build password packet:
> password: *****, sharedSecret: *****.
>
> Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: Send packet to 172.16.114.139.
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: Get ACCESS_ACCEPT-Packet.
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: parse_response_packet().
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND AUTH: routes: .
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND AUTH: framed ip: .
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: No attributes Acct Interim
> Interval or bad length.
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND AUTH: Acct Interim
> Interval: 0.
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND AUTH:
> Reply-Message:privacyIDEA access granted
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: Client config file was not
> written, overwriteccfiles is false
>
> .Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND AUTH: Auth
> succeeded in radius_server().
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND THREAD:
> Authentication succeeded!
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Received
> routes for user: .
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Received
> framed ip for user: .
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Receive
> acctinteriminterval 0 sec from backgroundprocess.
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Add user to
> map.
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Waiting for
> new user.
>
> Sun Sep 20 12:25:39 2015 us=280747 172.16.114.1:57634 PLUGIN_CALL:
> POST /usr/lib/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY
> status=0
>
> Sun Sep 20 12:25:39 2015 us=280790 172.16.114.1:57634 TLS:
> Username/Password authentication succeeded for username 'teddy'
>
> Sun Sep 20 12:25:39 2015 us=280926 172.16.114.1:57634 Data Channel
> Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
>
> Sun Sep 20 12:25:39 2015 us=280941 172.16.114.1:57634 Data Channel
> Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
>
> Sun Sep 20 12:25:39 2015 us=280989 172.16.114.1:57634 Data Channel
> Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
>
> Sun Sep 20 12:25:39 2015 us=281000 172.16.114.1:57634 Data Channel
> Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
>
> Sun Sep 20 12:25:39 2015 us=281047 172.16.114.1:57634 UDPv4 WRITE
> [126] to [AF_INET]172.16.114.1:57634: P_CONTROL_V1 kid=0 [ 39 ] pid=38
> DATA len=100
>
> Sun Sep 20 12:25:39 2015 us=281375 172.16.114.1:57634 UDPv4 WRITE
> [114] to [AF_INET]172.16.114.1:57634: P_CONTROL_V1 kid=0 [ ] pid=39
> DATA len=100
>
> Sun Sep 20 12:25:39 2015 us=281693 172.16.114.1:57634 UDPv4 WRITE [80]
> to [AF_INET]172.16.114.1:57634: P_CONTROL_V1 kid=0 [ ] pid=40 DATA
> len=66
>
> Sun Sep 20 12:25:39 2015 us=281850 172.16.114.1:57634 UDPv4 READ [22]
> from [AF_INET]172.16.114.1:57634: P_ACK_V1 kid=0 [ 38 ]
>
> Sun Sep 20 12:25:39 2015 us=281879 172.16.114.1:57634 UDPv4 READ [22]
> from [AF_INET]172.16.114.1:57634: P_ACK_V1 kid=0 [ 39 ]
>
> Sun Sep 20 12:25:39 2015 us=282776 172.16.114.1:57634 UDPv4 READ [22]
> from [AF_INET]172.16.114.1:57634: P_ACK_V1 kid=0 [ 40 ]
>
> Sun Sep 20 12:25:39 2015 us=282878 172.16.114.1:57634 Control Channel:
> TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
>
> Sun Sep 20 12:25:39 2015 us=282948 172.16.114.1:57634 [client_vpnuin]
> Peer Connection Initiated with [AF_INET]172.16.114.1:57634
>
> Sun Sep 20 12:25:39 2015 us=282993 client_vpnuin/172.16.114.1:57634
> MULTI_sva: pool returned IPv4=10.29.9.6, IPv6=(Not enabled)
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND:
> OPENVPN_PLUGIN_CLIENT_CONNECT is called.
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND: Key:
> 172.16.114.1:57634.
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to
> the IP (10.29.9.6) OpenVPN assigned to the user teddy
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND: Add user for
> accounting: username: teddy, commonname: client_vpnuin
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND ACCT: Get a
> command.
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND ACCT: New User.
>
> Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND ACCT: New user
> acct: username: teddy, interval: 0, calling station: 172.16.114.1,
> commonname: client_vpnuin, framed ip: 10.29.9.6.
>
> Sun Sep 20 12:25:40 2015 RADIUS-PLUGIN: BACKGROUND ACCT: Error: Start
> packet couldn't send.
>
>
> !
>
> Sun Sep 20 12:25:40 2015 Error: RADIUS-PLUGIN: FOREGROUND: Accounting
> failed for user:teddy!
>
> Sun Sep 20 12:25:40 2015 us=286320 client_vpnuin/172.16.114.1:57634
> PLUGIN_CALL:
> POST /usr/lib/openvpn/radiusplugin.so/PLUGIN_CLIENT_CONNECT status=1
>
> Sun Sep 20 12:25:40 2015 us=286339 client_vpnuin/172.16.114.1:57634
> PLUGIN_CALL: plugin function PLUGIN_CLIENT_CONNECT failed with status
> 1: /usr/lib/openvpn/radiusplugin.so
>
> Sun Sep 20 12:25:40 2015 us=286354 client_vpnuin/172.16.114.1:57634
> WARNING: client-connect plugin call failed
>
> Sun Sep 20 12:25:41 2015 us=787447 client_vpnuin/172.16.114.1:57634
> UDPv4 READ [104] from [AF_INET]172.16.114.1:57634: P_CONTROL_V1 kid=0
> [ ] pid=40 DATA len=90
>
> Sun Sep 20 12:25:41 2015 us=787612 client_vpnuin/172.16.114.1:57634
> PUSH: Received control message: 'PUSH_REQUEST'
>
> Sun Sep 20 12:25:41 2015 us=787671 client_vpnuin/172.16.114.1:57634
> Delayed exit in 5 seconds
>
> Sun Sep 20 12:25:41 2015 us=787723 client_vpnuin/172.16.114.1:57634
> SENT CONTROL [client_vpnuin]: 'AUTH_FAILED' (status=1)
>
> Sun Sep 20 12:25:41 2015 us=787767 client_vpnuin/172.16.114.1:57634
> UDPv4 WRITE [22] to [AF_INET]172.16.114.1:57634: P_ACK_V1 kid=0 [ 40 ]
>
> Sun Sep 20 12:25:41 2015 us=788111 client_vpnuin/172.16.114.1:57634
> UDPv4 WRITE [104] to [AF_INET]172.16.114.1:57634: P_CONTROL_V1 kid=0
> [ ] pid=41 DATA len=90
>
> Sun Sep 20 12:25:43 2015 us=890129 client_vpnuin/172.16.114.1:57634
> UDPv4 WRITE [104] to [AF_INET]172.16.114.1:57634: P_CONTROL_V1 kid=0
> [ ] pid=41 DATA len=90
>
> Sun Sep 20 12:25:46 2015 us=994014 client_vpnuin/172.16.114.1:57634
> SIGTERM[soft,delayed-exit] received, client-instance exiting
>
>
> it still error at ACCT.
>
>
> yes, i did cornelius. so when i use openvpn-pam plugin, i don't need
> freeradius anymore, isn't it ?
>
> my purpose is to authenticate the openvpn with otp like privacyidea,
> and i stuck at this errors
>
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
Cornelius Kölbel
I will add "detail" to the default accounting.
THanks a lot and kind regards
Cornelius
Am Samstag, den 19.09.2015, 23:59 -0700 schrieb Teddy Azta:
> Hi Jochen.
>
>
> Thank you so much, i've tried your suggestions and my server works
> now !
> i found that problem is in /sites-available and /sites-enabled i
> should add "detail" in accounting.
>
>
> anyway, thanks buddy, you save my life :D
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
Jochen Hein
Hello Cornelius,
Cornelius Kölbel <corneliu...@netknights.it> writes:
> Yes, you can use PAM, which is much simpler, since you do not require
> the additional RADIUS server:
> http://privacyidea.readthedocs.org/en/latest/application_plugins/openvpn.html
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html
Is this intentional?
If you are interested I can add documentation about the RADIUS
cofigration to openvpn.html - both direct and via PAM.
My internet accessible machine runs Debian stable and I really prefer to
run only Debian packages on the host - so using privacyidea_pam.py is
not what I want. And I ran RADIUS already years ago and was quite happy.
So I did try both openvpn->radius and openvpn->pam->radius and have both
working.
And while we are talking about RADIUS:
,----
In your packages you use /etc/privacyidea in lowercase and in
privacyidea_radius.pm line 92 and 198 you refer to
/opt/privacyIDEA/rlm_perl.ini. It might be hard to update existing
documenation and installations automatically, but I'd prefer to use
/etc/privacyidea/rlm_perl.ini as the config file.
Cornelius Kölbel
Am Montag, den 21.09.2015, 23:10 +0200 schrieb Jochen Hein:
> Hello Cornelius,
>
> Cornelius Kölbel <corneliu...@netknights.it> writes:
>
> > Yes, you can use PAM, which is much simpler, since you do not require
> > the additional RADIUS server:
> > http://privacyidea.readthedocs.org/en/latest/application_plugins/openvpn.html
>
> This page is not referenced from
> http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html
> Is this intentional?
>
> If you are interested I can add documentation about the RADIUS
> cofigration to openvpn.html - both direct and via PAM.
>
> My internet accessible machine runs Debian stable and I really prefer to
> run only Debian packages on the host - so using privacyidea_pam.py is
> not what I want. And I ran RADIUS already years ago and was quite happy.
> So I did try both openvpn->radius and openvpn->pam->radius and have both
> working.
>
> And while we are talking about RADIUS:
>
> ,----
> | rlm_perl: Config File /etc/privacyIDEA/rlm_perl.ini not found!
> `----
>
> In your packages you use /etc/privacyidea in lowercase and in
> privacyidea_radius.pm line 92 and 198 you refer to
> /opt/privacyIDEA/rlm_perl.ini. It might be hard to update existing
> documenation and installations automatically, but I'd prefer to use
> /etc/privacyidea/rlm_perl.ini as the config file.
I also though about moving the file to the /etc directory.
https://github.com/privacyidea/privacyidea/issues/207
Thanks a lot and kind regards
Cornelius
>
> Jochen