pfSense Gold Subscription

Author Topic: OpenVPN with DUO Security Authentication Proxy and Active Driectory  (Read 1523 times)

0 Members and 1 Guest are viewing this topic.

Offline an10bill

  • Jr. Member
  • **
  • Posts: 27
    • View Profile
OK, I'm trying to get at OpenVPN setup to work with SSL+TSL User Authentication with a DUO Security Authentication Proxy as Radius Backend, and the latter then configured to authenticate with Active Directory.

I've tried to follow several tutorials regarding OpenVPN on pfsense 2.0.1, adjusting them to my setup, but I cant make it work. Seems my user never gets authenticated:

Code: [Select]
CERBERUS] Peer Connection Initiated with 109.***.*.**:1194
Fri Aug 03 20:05:13 2012 AUTH: Received AUTH_FAILED control message

On my LAN interface I have two servers, one Windows 20008 R2, Domain Controller (10.0.0.10), and the Duo Security Authentication Proxy installed on a CentOS 6.3 box, running ip 10.0.0.11. The Duo Security configuration is set up with the IP to the DC, and a domain admin user for access, and the searchstring, DC=mydomain,DC.net
Also the configuration is setup as a Radius Generic Server, with client IP set to the pfsense LAN gw adress, 10.0.0.1. The DUO Sec API's, secrets etc are entered, and the shared secret is set to qwerty (not secure - but this is still not production)

On pfSense i have configured a Radius Server Backend, called it DUOSEC, configured as Radius, with server IP 10.0.0.11 (Duo security proxy), authentication only and port 1812. Shared secret is qwerty

I've then created a OpenVPN with the wizard, making the necessary certificates, and then adjusting the created OpenVPN server to use Radius backed, set it to DUOSEC and defined LAN network to 10.0.0.0/24 and tunnell network to 10.0.100.0/24. The wizard created the necessary rules, but I found that I also needed to open port 1812 on the WAN interface to the lan interface, if not - I would not reach the radius at all it seemed - connection just timed out.
With this rule, I get to the radius, but I always fail the authentication.

The connection flow is OpenVPN client, enter username and password (password is entered in a password,passcode format with the latter beeing the otp from duo security's android app). Connection is then made to OpenVPN server wich inturn authenticate towards the Duo Security Proxy wich then in turn authenticate with the AD, and verifies the duo security passcode. It should actually be quite a simple setup....

But I believe there might be a need for some rules, or I might have misunderstood how OpenVPN connects to the Radius (does it use LAN ip 10.0.0.1??, or WAN interface ip? In the radius authentication proxy I have to define the IP of the radius client (OpenVPN server) but I'm unsure as to what IP to use here....

Anybody have any suggestions? Or have anyone gotten DUO Security to work in another way with PFsense and OpenVPN?? DUO Security can integrate directly with OpenVPN too, but I don't like the idea to mess with the pfsense installation.... it feels more clean to use a dedicated generic radius proxy server.

Offline an10bill

  • Jr. Member
  • **
  • Posts: 27
    • View Profile
Re: OpenVPN with DUO Security Authentication Proxy and Active Driectory
« Reply #1 on: August 03, 2012, 03:02:41 pm »
OK, I think I found the problem - two of them actually, and theese have to be solved before the OpenVPN would work or further troubeshooting can be done.
First issue turned out to be CentOS having a builtin firewall ( ::)) Quite embarrased I dind't catch that earlier actually. I've opened the ports now - atleast an easy solve. :P

Next issue is way more major. It seems the entire Duo Auth Proxy service is not working. It was built and installed following a procedure from Duo Security (to the letter) and there were no errors - nevertheless, the service says it's running, but it's actually not listening. - There is nothing on the server listening on port 1812. Running "netstat -plant" shows nothing on port 1812 - and telnet'ing to the server on port 1812 - gets me no connection....

So actually the problem with VPN not authenticating is quite understandable, as the RADIUS is not listening for it's requests! :-\

I've sent an supportticket to Duo Security, and I'm awaiting their response.