OpenVPN integration
801 views
Skip to first unread message
Teun
Apr 6, 2012, 7:48:10 AM4/6/12
to RCDevs Security Solutions - Technical
Hi,
I'm trying to build a (test-)setup for openvpn with openotp
authentication using the radiusplugin. I get to the point where
authentication works just fine, but the VPN connection isn't
established due to accounting problems.
The openvpn logs show:
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: FOREGROUND:
OPENVPN_PLUGIN_CLIENT_CONNECT is called.
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: FOREGROUND: Commonname set to
Username
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: FOREGROUND: Key: a.b.c.d:
59406.
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to
the IP (192.168.255.21) OpenVPN assigned to the user teun
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: FOREGROUND: Add user for
accounting: username: teun, commonname: teun
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: BACKGROUND ACCT: Get a
command.
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: BACKGROUND ACCT: New User.
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: BACKGROUND ACCT: New user
acct: username: teun, interval: 0, calling station: a.b.c.d,
commonname: teun, framed ip: 192.168.255.21.
Fri Apr 6 13:35:08 2012 RADIUS-PLUGIN: BACKGROUND-ACCT: Error on
receiving radius response, code: -12
Fri Apr 6 13:35:08 2012 RADIUS-PLUGIN: BACKGROUND ACCT: Error:
Accounting failed.
!
Fri Apr 6 13:35:08 2012 Error: RADIUS-PLUGIN: FOREGROUND: Accounting
failed for user:teun!
Fri Apr 6 13:35:08 2012 us=312502 teun/a.b.c.d:59406 PLUGIN_CALL:
POST /usr/lib/openvpn/radiusplugin.so/PLUGIN_CLIENT_CONNECT status=1
Fri Apr 6 13:35:08 2012 us=312542 teun/a.b.c.d:59406 PLUGIN_CALL:
plugin function PLUGIN_CLIENT_CONNECT failed with status 1: /usr/lib/
openvpn/radiusplugin.so
As you can see, auth goes well, a tunnel IP address is even assigned.
The plugin fails on accounting it seems.
Checking on the openotp server (the vmware image) I see:
Auth: rlm_openotp: OpenOTP Authentication succeeded
Also, after adding some additional accounting settings in the radiusd
I see:
bash-3.2# cat accounting.log
Packet-Type = Access-Request
User-Name = "teun"
User-Password = "test+709321"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Service-Type = Outbound-User
Calling-Station-Id = "a.b.c.d"
NAS-Identifier = "OpenVpn"
Acct-Session-Id = "A3D0678A45DD2AE9468ED286172071AB"
NAS-Port-Type = Virtual
So both authentication and accounting works as far as I can tell, yet
the openvpn connection fails. I'm a bit lost which part of the setup
is causing these problems: radiusplugin or the radiusd on openotp.
Any hints (or a working sample config of openvpn/radiusplugin/openotp)
would be greatly appreciated.
I'm trying to build a (test-)setup for openvpn with openotp
authentication using the radiusplugin. I get to the point where
authentication works just fine, but the VPN connection isn't
established due to accounting problems.
The openvpn logs show:
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: FOREGROUND:
OPENVPN_PLUGIN_CLIENT_CONNECT is called.
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: FOREGROUND: Commonname set to
Username
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: FOREGROUND: Key: a.b.c.d:
59406.
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to
the IP (192.168.255.21) OpenVPN assigned to the user teun
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: FOREGROUND: Add user for
accounting: username: teun, commonname: teun
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: BACKGROUND ACCT: Get a
command.
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: BACKGROUND ACCT: New User.
Fri Apr 6 13:35:04 2012 RADIUS-PLUGIN: BACKGROUND ACCT: New user
acct: username: teun, interval: 0, calling station: a.b.c.d,
commonname: teun, framed ip: 192.168.255.21.
Fri Apr 6 13:35:08 2012 RADIUS-PLUGIN: BACKGROUND-ACCT: Error on
receiving radius response, code: -12
Fri Apr 6 13:35:08 2012 RADIUS-PLUGIN: BACKGROUND ACCT: Error:
Accounting failed.
!
Fri Apr 6 13:35:08 2012 Error: RADIUS-PLUGIN: FOREGROUND: Accounting
failed for user:teun!
Fri Apr 6 13:35:08 2012 us=312502 teun/a.b.c.d:59406 PLUGIN_CALL:
POST /usr/lib/openvpn/radiusplugin.so/PLUGIN_CLIENT_CONNECT status=1
Fri Apr 6 13:35:08 2012 us=312542 teun/a.b.c.d:59406 PLUGIN_CALL:
plugin function PLUGIN_CLIENT_CONNECT failed with status 1: /usr/lib/
openvpn/radiusplugin.so
As you can see, auth goes well, a tunnel IP address is even assigned.
The plugin fails on accounting it seems.
Checking on the openotp server (the vmware image) I see:
Auth: rlm_openotp: OpenOTP Authentication succeeded
Also, after adding some additional accounting settings in the radiusd
I see:
bash-3.2# cat accounting.log
Packet-Type = Access-Request
User-Name = "teun"
User-Password = "test+709321"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Service-Type = Outbound-User
Calling-Station-Id = "a.b.c.d"
NAS-Identifier = "OpenVpn"
Acct-Session-Id = "A3D0678A45DD2AE9468ED286172071AB"
NAS-Port-Type = Virtual
So both authentication and accounting works as far as I can tell, yet
the openvpn connection fails. I'm a bit lost which part of the setup
is causing these problems: radiusplugin or the radiusd on openotp.
Any hints (or a working sample config of openvpn/radiusplugin/openotp)
would be greatly appreciated.
Administrators
Apr 7, 2012, 8:59:03 AM4/7/12
to RCDevs Security Solutions - Technical
RB provides the accounting service by default and accounting is on
port 1813. This setup already work for users (with OpenVPN).
-> Use the later RB with the default /opt/radiusd/conf/radiusd.conf
file.
port 1813. This setup already work for users (with OpenVPN).
-> Use the later RB with the default /opt/radiusd/conf/radiusd.conf
file.
Teun
Apr 25, 2012, 10:03:10 AM4/25/12
to rcdevs-t...@googlegroups.com
To answer my own question: this was caused by the firewall configuration in the VMWare image which blocked the accounting data.
If you add the following line to /etc/sysconfig/iptables after the Radius line for port 1812 it works:
-A INPUT -p udp -m udp --dport 1813 -j ACCEPT
Teun
If you add the following line to /etc/sysconfig/iptables after the Radius line for port 1812 it works:
-A INPUT -p udp -m udp --dport 1813 -j ACCEPT
Teun
Reply all
Reply to author
Forward
0 new messages