OK, I'm trying to get at OpenVPN setup to work with SSL+TSL User Authentication with a DUO Security Authentication Proxy as Radius Backend, and the latter then configured to authenticate with Active Directory.
I've tried to follow several tutorials regarding OpenVPN on pfsense 2.0.1, adjusting them to my setup, but I cant make it work. Seems my user never gets authenticated:
CERBERUS] Peer Connection Initiated with 109.***.*.**:1194
Fri Aug 03 20:05:13 2012 AUTH: Received AUTH_FAILED control message
On my LAN interface I have two servers, one Windows 20008 R2, Domain Controller (10.0.0.10), and the Duo Security Authentication Proxy installed on a CentOS 6.3 box, running ip 10.0.0.11. The Duo Security configuration is set up with the IP to the DC, and a domain admin user for access, and the searchstring, DC=mydomain,DC.net
Also the configuration is setup as a Radius Generic Server, with client IP set to the pfsense LAN gw adress, 10.0.0.1. The DUO Sec API's, secrets etc are entered, and the shared secret is set to qwerty (not secure - but this is still not production)
On pfSense i have configured a Radius Server Backend, called it DUOSEC, configured as Radius, with server IP 10.0.0.11 (Duo security proxy), authentication only and port 1812. Shared secret is qwerty
I've then created a OpenVPN with the wizard, making the necessary certificates, and then adjusting the created OpenVPN server to use Radius backed, set it to DUOSEC and defined LAN network to 10.0.0.0/24 and tunnell network to 10.0.100.0/24. The wizard created the necessary rules, but I found that I also needed to open port 1812 on the WAN interface to the lan interface, if not - I would not reach the radius at all it seemed - connection just timed out.
With this rule, I get to the radius, but I always fail the authentication.
The connection flow is OpenVPN client, enter username and password (password is entered in a password,passcode format with the latter beeing the otp from duo security's android app). Connection is then made to OpenVPN server wich inturn authenticate towards the Duo Security Proxy wich then in turn authenticate with the AD, and verifies the duo security passcode. It should actually be quite a simple setup....
But I believe there might be a need for some rules, or I might have misunderstood how OpenVPN connects to the Radius (does it use LAN ip 10.0.0.1??, or WAN interface ip? In the radius authentication proxy I have to define the IP of the radius client (OpenVPN server) but I'm unsure as to what IP to use here....
Anybody have any suggestions? Or have anyone gotten DUO Security to work in another way with PFsense and OpenVPN?? DUO Security can integrate directly with OpenVPN too, but I don't like the idea to mess with the pfsense installation.... it feels more clean to use a dedicated generic radius proxy server.