pfSense Forum

pfSense English Support => OpenVPN => Topic started by: mislav on February 06, 2018, 07:04:39 pm

Title: Openvpn + freeradius - unable to log in into VPN
Post by: mislav on February 06, 2018, 07:04:39 pm
Hi. Today I did upgrade of my pfsense machine from 2.3.x to 2.4.2. and after this update, our openvpn + freeradius has stopped working. Any ideas why?

I've tried with both present user login (both mOTP or plain text pass) or with creating NEW user credentials - result is the same - unable to log in into VPN.

I've attached whole messages I got when running free radius in debug mode:
/usr/local/etc/rc.d/radiusd debug

Also, on dashboard, I've noticed under vpn there is always message when connecting:
[error]   Unable to contact daemon0   Service not running?

Here is the output also from viscosity client connection log:
Quote
vlj 07 1:53:07: State changed to Connecting
vlj 07 1:53:07: Viscosity Windows 1.7.6 (1540)
vlj 07 1:53:07: Running on Microsoft Windows 7 Ultimate
vlj 07 1:53:07: Running on .NET Framework Version 4.5.51209.379893
vlj 07 1:53:07: Bringing up interface...
vlj 07 1:53:07: Checking reachability status of connection...
vlj 07 1:53:07: Connection is reachable. Starting connection attempt.
vlj 07 1:53:07: OpenVPN 2.4.4 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 19 2017
vlj 07 1:53:07: library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.09
vlj 07 1:53:33: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
vlj 07 1:53:33: TCP/UDP: Preserving recently used remote address: [AF_INET]HIDDENIP:1191
vlj 07 1:53:33: Attempting to establish TCP connection with [AF_INET]HIDDENIP:1191 [nonblock]
vlj 07 1:53:34: TCP connection established with [AF_INET]HIDDENIP:1191
vlj 07 1:53:34: TCP_CLIENT link local (bound): [AF_INET][undef]:0
vlj 07 1:53:34: TCP_CLIENT link remote: [AF_INET]HIDDENIP:1191
vlj 07 1:53:34: State changed to Authenticating
vlj 07 1:53:36: [vpn1_ssl_2017] Peer Connection Initiated with [AF_INET]HIDDENIP:1191
vlj 07 1:53:37: State changed to Connecting
vlj 07 1:53:37: AUTH: Received control message: AUTH_FAILED
vlj 07 1:53:41: SIGUSR1[soft,auth-failure] received, process restarting
vlj 07 1:53:41: State changed to Connecting
vlj 07 1:53:42: State changed to Disconnecting
vlj 07 1:53:42: ERROR: could not read Auth username

Is there anything else needed?
Title: Re: Openvpn + freeradius - unable to log in into VPN
Post by: mislav on February 09, 2018, 01:08:37 am
Any ideas? None of clients are able to login to VPN, we've serious problems with this freeradius. As a temporary solution, we've switched to local database as backend for auth on VPN server.
Title: Re: Openvpn + freeradius - unable to log in into VPN
Post by: jimp on February 12, 2018, 11:47:51 am
If you're using OTP, edit the RADIUS server entry under System > User Manager, Auth Servers tab and make sure it's set to PAP.

EDIT: The log says PAP, but make sure the GUI matches. Also the log says the password has unprintable characters. Are you sure your client is sending the correct password?
Title: Re: Openvpn + freeradius - unable to log in into VPN
Post by: mislav on February 13, 2018, 02:38:19 am
It says PAP indeed, I've checked.

Unprintable characters are also something that bothers me - because, password from OTP is 6 char generated and it contains only small/big letter and numbers, not a single special character.

What I've noticed is that after 2.3.x upgrade to 2.4.x freeradius package was somehow gone - version 2 was used and it was no longer available in the package list. Instead, it was replaced by freeradius version 3 which I had to install - I guess something went wrong there? Shall I try to completely remove all freeradius users, their CAs and everything connected with that - and create them from scratch? But I'm not sure if that will work, since I tried to create completely two new users - one with OTP, one with cleartxt password and in both case, log in didn't work (as long as freeradius was authentication backend).
Title: Re: Openvpn + freeradius - unable to log in into VPN
Post by: jimp on February 13, 2018, 10:15:06 am
FreeRADIUS 2.x had to be removed because it was no longer supported upstream, it was not in FreeBSD ports anymore, and it had known vulnerabilities. There was no easy way to have pfSense automatically remove 2.x and install 3.x. The configuration is practically identical though, the old settings should be fine.

I haven't tried mOTP in a while but last time I used it on 2.4 it worked, I use the Google Authenticator OTP option more often and I know it's working fine.

You might try uninstalling the FreeRADIUS package and then installing it again -- don't use the reinstall option, and pay attention to any errors displayed during either the removal or installation step.