Netgate SG-1000 microFirewall

Author Topic: Limited number of OpenVPN Backend Authentication Servers?  (Read 74 times)

0 Members and 1 Guest are viewing this topic.

Offline calebh

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Limited number of OpenVPN Backend Authentication Servers?
« on: February 02, 2018, 07:23:03 pm »
We're in the middle of transitioning from the use of one VPN server to four in order to better limit access. This includes four new LDAP (for Active Directory) Authentication Server entries for each OU that corresponds to the new VPN server instances. (Users have already been moved into their respective OUs.) To allow the existing VPN to still function, I selected all four new Authentication Server entries in the "Backend Authentication Servers" option on pfSense. Unfortunately this caused user authentication to fail. The pfSense logs showed that it didn't even try to reach out to our Active Directory server. Where it should list the attempts to authenticate the user against the multiple Auth Server entries, it said
Code: [Select]
WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1I found that when I selected only three of the Authentication Server entries, it would succeed for the respective Auth Server entry (the others would obviously note a failed LDAP search since the users didn't exist in those referenced OUs). This seems to apply to any three (no matter which one of the four is left out).

Since this is a temporary state for our firewall to be in, this limitation isn't debilitating and will be resolved once we deploy the configurations for the new OpenVPN server instances. For now I'm leaving the Auth Server entry unselected for the OU whose users use the VPN the least. We could also adjust the original Auth Server entry to search through parent OU of the four new OUs, but that's outside of the scope of my question. I'm wondering (out of curiosity, and on behalf of someone who might encounter the rare situation of actually needing four different Auth Server entries) if this is a programmatic limitation, or maybe I'm missing something in our setup?