[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] RADIUS Plug-In Question

  • Subject: [Openvpn-users] RADIUS Plug-In Question
  • From: "Alexander Littell" <alexander_littell@xxxxxxxxxxx>
  • Date: Tue, 18 Jul 2006 13:32:11 -0400

Hello all.

Okay, I actually have several OpenVPN servers in production, all using 
RADIUS properly to authenticate users.  However, I recently had to rebuild 
one from scratch (hardware-level format of the disks) and for some reason I 
cannot get the process to work!

Here is the deal, I am prompted for a password on the client side.  I use a 
valid username/password and see the OpenVPN server query the RADIUS server 
(FreeRADIUS).  Monitoring the RADIUS server, I see that it replies with a 
"Sending Access-Accept of id ..." which means that everything should work 
fine, but for some reason OpenVPN is stating that the password was rejected:


PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 
1: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so

TLS Auth Error: Auth Username/Password verification failed for peer

At first I thought it might have been a firewall issue that I couldn't 
discern so I opened everything -- no change.  Then I loaded a RADIUS tool 
called RADLogin and tested the connection between the OpenVPN server and the 
RADIUS server without using OpenVPN -- everything worked fine.  I've since 
swapped out/reconfigured/recompiled every facet of the OpenVPN setup and 
PAM/RADIUS plugins, all to no avail.

The system works just fine without the plugin by the way.  I simply don't 
understand how it can send the authentication request, receive an 
access-accept notification, and still not authorize the username/password 
with the plugin.

Oh, here are a couple other things:

>From OpenVPN server config:

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn1

>From /etc/pam.d/openvpn1:

auth	sufficient	pam_radius_auth.so	debug
account	sufficient	pam_access.so
session	sufficient	pam_access.so

>From /etc/raddb/server:


Anyone have *any* ideas?!  I'm completely perplexed now...hoping that it is 
something very easy. ;)



OpenVPN mailing lists