Openvpn PAP auth failure

[Jimothy Dandy]

I'm demoing RCdevs packages and have set up an OpenOTP server.  This server I've configured RADIUS and radtest responds to the AD user password with a time-based token which I success input on my mobile.

I change the OpenVPN Access Server to authenticate using PAP to the OpenOTP servers IP and use ports 1812 and 1813.  Seems to all be working.  However, when I move to the OpenVPN Acces Server webpage, I enter my user's credentials in the web interface and the user just sees a spinning (loading) wheel on the web page with eventual failure.

RADIUSD (debug):

(0) Received Access-Request Id 251 from 10.1.20.99:48424 to 10.1.20.89:1812 length 72
(0)   NAS-Identifier = "OpenVPN.hackvpn01"
(0)   User-Name = "testotp"
(0)   User-Password = "Dn\355}\305oDZ\t\313\023\274\234Zo\317"
(0)   Service-Type = Authenticate-Only
(0) # Executing section authorize from file /opt/radiusd/conf/radiusd.conf
(0)   authorize {
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
rlm_openotp: Invalid "User-Password" attribute (bad format or wrong RADIUS secret)
(0)     [openotp] = invalid
(0)   } # authorize = invalid
(0) Invalid user: [testotp] (from client any port 0)
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) Login incorrect: [testotp] (from client any port 0)
(0) Sent Access-Reject Id 251 from 10.1.20.89:1812 to 10.1.20.99:48424 length 0
(0) Finished request

As per RCDevs recommendations, I have not altered radiusd.conf.

Here's clients.conf:

client 10.1.20.99 {
      ipaddr = 127.0.0.1
      secret = mysharedsecret
}
client any {
        ipaddr = *
        secret = mysharedsecret
}

My openotp.conf:
server_url = "http://127.0.0.1:8080/openotp/"  #All else has been left default
password_mode = 0



My goal is to have the users hit the VPN's webpage enter their AD password and be prompted to enter in their OTP time-based token.

Help would be appreciated.  I'm at an impasse and this is my first time implement Openvpn and RCDevs and I'm running out of time ;)

RCDevs---nicely done packages!

Thanks,

[Jimothy Dandy]

FIXED!!!!

Silly error.

Turns out I needed to uncomment the following line and add the hostname in /opt/radiusd/conf/clients.conf:

shortname = HostNameofOpenVPNserver




[Bilal AlAli]

where is the best location for Radius SERVER and RAdius client and Active Directory. which is the SERVER and which is the Client.

(  RCDev OTP )      ( Active Directory )  ( PFsense Firewall   +  OpenVPN )   ( Remote Client )

--
You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technical+unsubscribe@googlegroups.com.
To post to this group, send email to rcdevs-technical@googlegroups.com.
Visit this group at https://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

[Simon Hamilton]

I have 2 seperate servers.  One is the OpenVPN Access Server which authenticates using RADIUS to the RCDev OTP server.

As far as RADIUS is concerned, the OpenVPN Access Server is the radius client.  The RCDev OTP server is the RADIUS server.  The RCDev OTP server is "pointed" to the Active Directory domain controllers.

Hope that information helps.

--
You received this message because you are subscribed to a topic in the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rcdevs-technical/NS9usgAYvKk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rcdevs-technical+unsubscribe@googlegroups.com.