Discussion:
[Openvpn-users] OpenVPN with Radius and Active Directory
Stephen Carville
2010-03-30 22:17:36 UTC
Permalink
I am trying to get openvpn to authenticate against an active directory
radius server. With no luck so far. I can connect with just with TLS
certificates only. Also pptp running on the same server works with
radius.

Suggestions?

Version:
OpenVPN 2.1.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Mar 1 2010

Current configuration
-------------------------------------------------
/etc/openvpn/openvpn.conf

local 198.204.115.84
port 1194
proto udp
dev tun

ca /etc/pki/CA/VPN-CA.crt
cert /etc/pki/tls/certs/orion.lereta.com.crt
key /etc/pki/tls/private/orion.lereta.com.key
dh /etc/pki/tls/private/dh2048.key

server 192.168.100.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 10.207.0.0 255.255.0.0"
push "route 10.212.0.0 255.255.0.0"
push "route 172.21.0.0 255.255.0.0"

push "dhcp-option DNS 10.212.3.10"
push "dhcp-option DNS 10.212.3.11"
push "dhcp-option WINS 10.212.3.10"
push "dhcp-option WINS 10.212.3.11"

keepalive 10 120

cipher BF-CBC # Blowfish (default)

max-clients 100

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

verb 3

client-cert-not-required
username-as-common-name

# use auth-pam plugin
;plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
;plugin /usr/share/openvpn/plugin/lib/radiusplugin.so

When using the openvpn-auth-pam.so plugin I tried the following
-------------------------------------------------
/etc/pam/d/openvpn

#%PAM-1.0
account required pam_radius_auth.so debug
account required pam_radius_auth.so debug
auth required pam_radius_auth.so try_first_pass
--
Stephen Carville
Jan Just Keijser
2010-03-31 08:08:18 UTC
Permalink
Hi Stephen,
Post by Stephen Carville
I am trying to get openvpn to authenticate against an active directory
radius server. With no luck so far. I can connect with just with TLS
certificates only. Also pptp running on the same server works with
radius.
what's an Active Directory radius server? Isn't it either AD _OR_
Radius? (just curious)
Post by Stephen Carville
Suggestions?
OpenVPN 2.1.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Mar 1 2010
Current configuration
-------------------------------------------------
/etc/openvpn/openvpn.conf
local 198.204.115.84
port 1194
proto udp
dev tun
ca /etc/pki/CA/VPN-CA.crt
cert /etc/pki/tls/certs/orion.lereta.com.crt
key /etc/pki/tls/private/orion.lereta.com.key
dh /etc/pki/tls/private/dh2048.key
server 192.168.100.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.207.0.0 255.255.0.0"
push "route 10.212.0.0 255.255.0.0"
push "route 172.21.0.0 255.255.0.0"
push "dhcp-option DNS 10.212.3.10"
push "dhcp-option DNS 10.212.3.11"
push "dhcp-option WINS 10.212.3.10"
push "dhcp-option WINS 10.212.3.11"
keepalive 10 120
cipher BF-CBC # Blowfish (default)
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
client-cert-not-required
username-as-common-name
# use auth-pam plugin
;plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
;plugin /usr/share/openvpn/plugin/lib/radiusplugin.so
When using the openvpn-auth-pam.so plugin I tried the following
-------------------------------------------------
/etc/pam/d/openvpn
#%PAM-1.0
account required pam_radius_auth.so debug
account required pam_radius_auth.so debug
auth required pam_radius_auth.so try_first_pass
I hope that's
/etc/pam.d/openvpn
(you've written /d) ; also , can you see anything in /var/log/messages
or /var/log/secure (or wherever pam is logging) when a client connects?

HTH,

JJK
Stephen Carville
2010-03-31 18:37:20 UTC
Permalink
Post by Jan Just Keijser
Hi Stephen,
Post by Stephen Carville
I am trying to get openvpn to authenticate against an active directory
radius server.  With no luck so far.  I can connect with just with TLS
certificates only.  Also pptp running on the same server works with
radius.
what's an Active Directory radius server? Isn't it either AD _OR_ Radius?
(just curious)
I don't know what else to call it.

I am trying to authenticate against a Microsoft RADIUS server which
uses AD for username password information.
Post by Jan Just Keijser
can you see anything in /var/log/messages or /var/log/secure (or wherever pam is
logging) when a client connects?
Nothing other than an Access-Request is sent and an Access-Reject is returned.
--
Stephen Carville
Jan Just Keijser
2010-04-01 06:32:19 UTC
Permalink
Post by Stephen Carville
Post by Jan Just Keijser
Hi Stephen,
Post by Stephen Carville
I am trying to get openvpn to authenticate against an active directory
radius server. With no luck so far. I can connect with just with TLS
certificates only. Also pptp running on the same server works with
radius.
what's an Active Directory radius server? Isn't it either AD _OR_ Radius?
(just curious)
I don't know what else to call it.
I am trying to authenticate against a Microsoft RADIUS server which
uses AD for username password information.
Post by Jan Just Keijser
can you see anything in /var/log/messages or /var/log/secure (or wherever pam is
logging) when a client connects?
Nothing other than an Access-Request is sent and an Access-Reject is returned.
is there a difference between the pptp radius/pam setup and the openvpn
radius/pam setup? which plugin are you using on the pptp/pppd side?
This sounds more like a pam debugging issue then an openvpn issue - I've
seen posts on the web by people who've achieved exactly what you're
looking for.

cheers,

JJK
Ski Mountain
2010-04-01 13:54:52 UTC
Permalink
You left out quite a few details like what type of radius authentication you are even trying to use. I currently have a active set up using freeradius and the Radiusplugin plug in (http://www.nongnu.org/radiusplugin/). Since OpenVPN is so wonderfully flexible why not just authenicate directly off Active Directory and take out the extra layer of complexity. After a quick search I found this site that looks to explain it pretty clearly(http://sites.google.com/site/amigo4life2/openvpn). It does look like it is designed for a Windows OpenVPN server which I avoid at all costs(my personal choice).
But any actual details about the server are lacking from your post.
Post by Jan Just Keijser
Hi Stephen,
Post by Stephen Carville
I am trying to get openvpn to authenticate against an active directory
radius server. ?With no luck so far. ?I can connect with just with TLS
certificates only. ?Also pptp running on the same server works with
radius.
what's an Active Directory radius server? Isn't it either AD _OR_ Radius?
(just curious)
I don't know what else to call it.

I am trying to authenticate against a Microsoft RADIUS server which
uses AD for username password information.
Post by Jan Just Keijser
can you see anything in /var/log/messages or /var/log/secure (or wherever pam is
logging) when a client connects?
Nothing other than an Access-Request is sent and an Access-Reject is returned.
--
Stephen Carville
Ralf Hildebrandt
2010-04-01 14:21:55 UTC
Permalink
Post by Ski Mountain
You left out quite a few details like what type of radius
authentication you are even trying to use. I currently have a active
set up using freeradius and the Radiusplugin plug in
(http://www.nongnu.org/radiusplugin/). Since OpenVPN is so wonderfully
flexible why not just authenicate directly off Active Directory and
take out the extra layer of complexity.
Using the RADIUS would (if the user types in his/her password incorrectly
multiple) just lock the remote access and NOT his whole account, thus
rendering Exchange unusable.
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
***@charite.de | http://www.charite.de
Loading...