OpenVPN Auth failure
491 views
Skip to first unread message
taphil...@gainsight.com
Mar 30, 2017, 10:05:08 PM3/30/17
to RCDevs Security Solutions - Technical
Hi
We are configuring a OpenVPN with OpenOTP feature . We are in a blocker where after passing Username / Password+OTP is failing.
Further running the Radius Server in debug following was captured
Suspecting whether the Password is getting garbled or not
Please find the contents of radiusplugin.cnf
Please find the contents of Client.conf and Shared Secret is the same
Radtest work perfectly ok
Not sure what need to be checked further
Can someone please help me to fix this issue ?
Thanks
Philix
We are configuring a OpenVPN with OpenOTP feature . We are in a blocker where after passing Username / Password+OTP is failing.
Following is the error that Radius server is reporting , Thu Mar 30
10:56:27 2017 : Auth: Invalid user:
[UserName/\261\262U\211X/\006g\220\3611S{Zn\342\230\307\350͑Z\220&\t{\373{Ђo\324\001\345\312\016=Q|iP#\236\206\3409]
(from client 0.0.0.0/0 port 1 cli Client Public IP)Server.conf
port 1194
proto udp
dev tun1
fragment 1400
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 5.5.32.0 255.255.255.0
comp-lzo no
user nobody
group users
persist-key
persist-tun
status /var/log/openvpn-status.log
duplicate-cn
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
tmp-dir "/etc/openvpn/tmp/"
log /var/log/openvpn.log
mode server
tls-server
verb 7
cipher AES-256-CBC
#auth MD5
#link-mtu 1500
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.8.4"
#client-to-client
duplicate-cn
local 10.0.0.127
ifconfig-pool-persist ipp.txt
push "persist-key"
push "persist-tun"
ifconfig 5.5.32.1 5.5.32.2
keysize 256
dev-type tun
#auth-user-pass-verify
#plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
#
tun-mtu 1500
Client Conf
auth SHA1
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
client
comp-lzo no
fragment 1400
dev tun0
keysize 256
persist-key
persist-tun
ping 15
ping-exit 15
ping-restart 0
proto udp
remote VPNSERVER 1194 udp
tls-client
verb 3
resolv-retry infinite
key client.key
ns-cert-type server
#script-security 2
#up /etc/openvpn/update-resolv-conf.sh
#down /etc/openvpn/update-resolv-conf.sh
redirect-gateway def1 bypass-dhcp
pull
nobind
dev-type tun
#link-mtu 1558
mssfix
setenv FORWARD_COMPATIBLE 1
ifconfig 5.5.32.2 5.5.32.1
#tun-mtu-extra 32
tun-mtu 1500
Further running the Radius Server in debug following was captured
rad_recv: Access-Request packet from host 10.0.0.127 port 37454, id=119, length=167
User-Name = "UserNAME"
User-Password =
"\270E\237\366Xm\302s\022\254\242\264\216\236+\301\003\036\177\024\241\233\357\230`g/\2036\036}1֭\007ս\317b)\306y\357\355ش"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Service-Type = Outbound-User
Calling-Station-Id = "Public_IP"
NAS-Identifier = "OpenVpn"
Acct-Session-Id = "CC0B4006AA7BD6A20E7940D398CA8A27"
NAS-Port-Type = Virtual
# Executing section authorize from file /opt/radiusd/conf/radiusd.conf
+group authorize {
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
rlm_openotp: Invalid "User-Password" attribute (bad format or wrong RADIUS secret)
++[openotp] = invalid
+} # group authorize = invalid
Invalid
user:
[taphilix-dev/\270E\237\366Xm\302s\022\254\242\264\216\236+\301\003\036\177\024\241\233\357\230`g/\2036\036}1֭\007ս\317b)\306y\357\355ش]
(from client 0.0.0.0/0 port 1 cli <PublicIP>)
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
Sending Access-Reject of id 119 to 10.0.0.127 port 37454
Finished request 3.
Going to the next request
Waking up in 9.9 seconds.
Cleaning up request 3 ID 119 with timestamp +505Suspecting whether the Password is getting garbled or not
Please find the contents of radiusplugin.cnf
NAS-Identifier=OpenVpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=127.0.0.1
OpenVPNConfig=/etc/openvpn/server.conf
overwriteccfiles=true
nonfatalaccounting=false
server
{
name=127.0.0.1
acctport=1813
authport=1812
retry=3
wait=3
sharedsecret = testing
}
Please find the contents of Client.conf and Shared Secret is the same
[root@ip-10-0-0-127 radiusplugin_v2.0c_beta]# egrep -v "#" /opt/radiusd/conf/clients.conf
client 0.0.0.0/0 {
secret = testing
}Radtest work perfectly ok
Not sure what need to be checked further
Can someone please help me to fix this issue ?
Thanks
Philix
Yoann Traut (RCDevs)
Mar 31, 2017, 4:31:24 AM3/31/17
to RCDevs Security Solutions - Technical
Hello,
Where is installed the radius bridge ? Your VPN Server is installed on your WebADM server ? Because I see in radiusplugin.cnf, the ip address of the radius server is 127.0.0.1
Could you show me the file /opt/radiusd/conf/openotp.conf ?
In radiusplugin.cnf file, could you set the following parameters :
name=radius_bridge_ip_address (
acctport=1813
authport=1812
retry=1
wait=10
sharedsecret = testing
acctport=1813
authport=1812
retry=1
wait=10
sharedsecret = testing
Do you have any logs in WebADM during an authentication ? If yes, could you send logs please ?
BR
Administrators
Mar 31, 2017, 11:18:38 AM3/31/17
to RCDevs Security Solutions - Technical
Only two things can cause this:
1) The RADIUS secret is not the same on the OpenVPN and OpenOTP RADIUS Bridge.
2) The password format is a hashed value (which is not supported by OpenOTP.
Check the auth SHA1. The password must be provided as is to RADIUS Bridge (not hashed).
Check the auth SHA1. The password must be provided as is to RADIUS Bridge (not hashed).
taphil...@gainsight.com
Apr 3, 2017, 7:50:12 AM4/3/17
to RCDevs Security Solutions - Technical
Hi Yuan
You guess is right , the Radius Server is installed and working on the same server as WebADM server
Please find the contents of /opt/radiusd/conf/openotp.conf
[root@ip-10-0-0-127 ~]# egrep -v "#" /opt/radiusd/conf/openotp.conf
server_url = "http://127.0.0.1:8080/openotp/"
Data_is_vps = yes
Default_domain = "Default"
domain_separator = "\\"
password_mode = 3
password_separator = "+"
As you can see from the below output , we have already set the the contents of the radiusplugin.cnf in the below fashion
[root@ip-10-0-0-127 ~]# egrep -v "#" /etc/openvpn/radiusplugin.cnf
You guess is right , the Radius Server is installed and working on the same server as WebADM server
Please find the contents of /opt/radiusd/conf/openotp.conf
[root@ip-10-0-0-127 ~]# egrep -v "#" /opt/radiusd/conf/openotp.conf
server_url = "http://127.0.0.1:8080/openotp/"
Data_is_vps = yes
Default_domain = "Default"
domain_separator = "\\"
password_mode = 3
password_separator = "+"
As you can see from the below output , we have already set the the contents of the radiusplugin.cnf in the below fashion
[root@ip-10-0-0-127 ~]# egrep -v "#" /etc/openvpn/radiusplugin.cnf
NAS-Identifier=OpenVpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=127.0.0.1
OpenVPNConfig=/etc/openvpn/server.conf
overwriteccfiles=true
nonfatalaccounting=false
server
{
name=127.0.0.1
acctport=1813
authport=1812
retry=3
wait=3
sharedsecret=testing
}
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=127.0.0.1
OpenVPNConfig=/etc/openvpn/server.conf
overwriteccfiles=true
nonfatalaccounting=false
server
{
name=127.0.0.1
acctport=1813
authport=1812
retry=3
wait=3
sharedsecret=testing
}
We dont see any logs coming up onto the Webadm during the authentication ,
but we do see successful Webadm logs during the RADTEST authentication.
Thanks
Philix
but we do see successful Webadm logs during the RADTEST authentication.
Thanks
Philix
Yoann Traut (RCDevs)
Apr 3, 2017, 11:13:44 AM4/3/17
to RCDevs Security Solutions - Technical
Hello,
You forgot to answer to my previous question, Your OpenVPN Server is installed on your WebADM server ?
BR
taphil...@gainsight.com
Apr 4, 2017, 1:37:11 AM4/4/17
to RCDevs Security Solutions - Technical
Hi Administrator
You are right
After exclusively making the AUTH MD5 on both client and server , it started to work seamlessly
Thanks for your help
Regards
Philix
You are right
After exclusively making the AUTH MD5 on both client and server , it started to work seamlessly
Thanks for your help
Regards
Philix
taphil...@gainsight.com
Apr 4, 2017, 1:39:31 AM4/4/17
to RCDevs Security Solutions - Technical
Yes Yoann
The VPN server works on the same instance of WebADM server
Thanks for your help
Now that it started to work , after the syncing the AUTH as MD5 on both server and client config
Regards
Philix
The VPN server works on the same instance of WebADM server
Thanks for your help
Now that it started to work , after the syncing the AUTH as MD5 on both server and client config
Regards
Philix
Reply all
Reply to author
Forward
0 new messages