Hi all.

I was configure openvpn, freeradius, and privacyidea. but i can’t login
with openvpn with username and pin+otp.
can someone give me advice ?

thank you.
sorry for my english

Hi Teddy,

please provide some more information:

Which distribution are you running on?
Which version of FreeRADIUS?

Start freeRADIUS in Debug mode (-X) and take a look at the output.
This may give you an additional clue.
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html?highlight=radclient#freeradius-plugin

Take a lock at the privacyIDEA audit log.

Kind regards
CorneliusAm Donnerstag, den 17.09.2015, 20:13 -0700 schrieb Teddy Azta:

Hi all.

I was configure openvpn, freeradius, and privacyidea. but i can’t
login with openvpn with username and pin+otp.
can someone give me advice ?

thank you.
sorry for my english

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/0c02206a-7603-4462-8c2b-cdfff2a8b9c1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Please run freeradius -X when authenticating to OpenVPN and then take a
look at the output of freeradius -X.

OpenVPN claims it gets no response from the radius server.

So the logical step is, to investigate the RADIUS service.

Kind regards
CorneliusAm Donnerstag, den 17.09.2015, 23:48 -0700 schrieb Teddy Azta:

I use Ubuntu Server 14.04, FreeRADIUS Version 2.1.12.

radclient

    Sending Access-Request of id 160 to 172.16.114.139 port 1812
    
    User-Name = "teddy"
    
    Password = "1234095237"
    
    rad_recv: Access-Accept packet from host 172.16.114.139 port
    1812, id=160, length=48
    
    Reply-Message = "privacyIDEA access granted"
    
    
      Total approved auths:  1
    
        Total denied auths:  0
    
          Total lost auths:  0

but when i trying to login with openvpn, some errors occured.

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND:
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY is called.

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND: Key:
172.16.114.1:52042.

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user
from OpenVPN!

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user.

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user:
username: teddy, password: *****, newuser ip: 172.16.114.1, newuser
port: 52042 .

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: BACKGROUND AUTH: New user
auth: username: teddy, password: *****, calling station: 172.16.114.1,
commonname: client_vpnuin.

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: radius_server().

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: Build password packet:
password: *****, sharedSecret: *****.

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: Send packet to 127.0.0.1.

Thu Sep 17 18:21:11 2015 RADIUS-PLUGIN: Got no response from radius
server.

Thu Sep 17 18:21:11 2015 Thu Sep 17 18:21:11 2015 RADIUS-PLUGIN:
FOREGROUND THREAD: Error receiving auth confirmation from background
process.

Thu Sep 17 18:21:11 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Waiting for
new user.

    Error: RADIUS-PLUGIN: BACKGROUND  AUTH: Auth failed!.

Thu Sep 17 18:21:11 2015 us=503093 172.16.114.1:52042 PLUGIN_CALL:
POST /usr/lib/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY
status=1

Thu Sep 17 18:21:11 2015 us=503119 172.16.114.1:52042 PLUGIN_CALL:
plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status
1: /usr/lib/openvpn/radiusplugin.so

    Thu Sep 17 18:21:11 2015 us=503166 172.16.114.1:52042 TLS Auth
    Error: Auth Username/Password verification failed for peer

I’ve got stressed with it. what can i suppose to do ?

On Friday, September 18, 2015 at 11:52:41 AM UTC+7, Cornelinux K wrote:
Hi Teddy,

    please provide some more information: 
    
    Which distribution are you running on? 
    Which version of FreeRADIUS? 
    
    Start freeRADIUS in Debug mode (-X) and take a look at the
    output. 
    This may give you an additional clue. 
    http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html?highlight=radclient#freeradius-plugin 
    
    Take a lock at the privacyIDEA audit log. 
    
    Kind regards 
    Cornelius 
    
    Am Donnerstag, den 17.09.2015, 20:13 -0700 schrieb Teddy
    Azta: 
    > Hi all. 
    > 
    > 
    > I was configure openvpn, freeradius, and privacyidea. but i
    can't 
    > login with openvpn with username and pin+otp. 
    > can someone give me advice ? 
    > 
    > 
    > thank you. 
    > sorry for my english 
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/0c02206a-7603-4462-8c2b-cdfff2a8b9c1%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5a770c16-b224-45c2-abde-27098124c093%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

I use Ubuntu Server 14.04, FreeRADIUS Version 2.1.12.

radclient

Sending Access-Request of id 160 to 172.16.114.139 port 1812

User-Name = “teddy”

Password = “1234095237”

rad_recv: Access-Accept packet from host 172.16.114.139 port 1812, id=160,
length=48

Reply-Message = “privacyIDEA access granted”

Total approved auths: 1

Total denied auths:  0

  Total lost auths:  0

but when i trying to login with openvpn, some errors occured.

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND:
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY is called.

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND: Key: 172.16.114.1:52042.

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user from
OpenVPN!

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user.

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user:
username: teddy, password: *****, newuser ip: 172.16.114.1, newuser port:
52042 .

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: BACKGROUND AUTH: New user auth:
username: teddy, password: *****, calling station: 172.16.114.1,
commonname: client_vpnuin.

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: radius_server().

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: Build password packet: password:
*****, sharedSecret: *****.

Thu Sep 17 18:21:10 2015 RADIUS-PLUGIN: Send packet to 127.0.0.1.

Thu Sep 17 18:21:11 2015 RADIUS-PLUGIN: Got no response from radius server.

Thu Sep 17 18:21:11 2015 Thu Sep 17 18:21:11 2015 RADIUS-PLUGIN: FOREGROUND
THREAD: Error receiving auth confirmation from background process.

Thu Sep 17 18:21:11 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Waiting for new
user.

Error: RADIUS-PLUGIN: BACKGROUND AUTH: Auth failed!.

Thu Sep 17 18:21:11 2015 us=503093 172.16.114.1:52042 PLUGIN_CALL: POST
/usr/lib/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1

Thu Sep 17 18:21:11 2015 us=503119 172.16.114.1:52042 PLUGIN_CALL: plugin
function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1:
/usr/lib/openvpn/radiusplugin.so

Thu Sep 17 18:21:11 2015 us=503166 172.16.114.1:52042 TLS Auth Error: Auth
Username/Password verification failed for peer

I’ve got stressed with it. what can i suppose to do ?On Friday, September 18, 2015 at 11:52:41 AM UTC+7, Cornelinux K wrote:

Hi Teddy,

please provide some more information:

Which distribution are you running on?
Which version of FreeRADIUS?

Start freeRADIUS in Debug mode (-X) and take a look at the output.
This may give you an additional clue.

14. Application Plugins — privacyIDEA 3.8 documentation

Take a lock at the privacyIDEA audit log.

Kind regards
Cornelius

Am Donnerstag, den 17.09.2015, 20:13 -0700 schrieb Teddy Azta:

Hi all.

I was configure openvpn, freeradius, and privacyidea. but i can’t
login with openvpn with username and pin+otp.
can someone give me advice ?

thank you.
sorry for my english

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/0c02206a-7603-4462-8c2b-cdfff2a8b9c1%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Teddy Azta teddyted9@gmail.com writes:

there’s something wrong with accounting freeradius.
FYI, port 1813 has already opened.

I’ve added the following to /etc/freeradius/sites-available/privacyidea:

— a/freeradius/sites-available/privacyidea
+++ b/freeradius/sites-available/privacyidea
@@ -25,6 +25,7 @@ preacct {
}

accounting {

•   detail
  

}

Maybe that should be default?

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

Hi Teddy,

have you tried as Jochen suggested to add this to the accounting
section?

We see in the log you sent, the the FreeRADIUS authenticates
successfully.

You should now check the OpenVPN log, if there are some entries about
the OpenVPN-FreeRADIUS plugin.

Did you ever think about using the OpenVPN PAM-Plugin?

Kind regards
CorneliusAm Samstag, den 19.09.2015, 10:03 +0200 schrieb Jochen Hein:

Teddy Azta teddyted9@gmail.com writes:

there’s something wrong with accounting freeradius.
FYI, port 1813 has already opened.

I’ve added the following to /etc/freeradius/sites-available/privacyidea:

— a/freeradius/sites-available/privacyidea
+++ b/freeradius/sites-available/privacyidea
@@ -25,6 +25,7 @@ preacct {
}

accounting {

•   detail
  

}

Maybe that should be default?

Jochen

–
The only problem with troubleshooting is that the trouble shoots back.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

freeradius -X debug :

rad_recv: Access-Request packet from host 172.16.114.139 port 60198,
id=182, length=126

User-Name = “teddy”

User-Password = “1234089024”

NAS-IP-Address = 127.0.0.1

NAS-Port = 1

Service-Type = Outbound-User

Calling-Station-Id = “172.16.114.1”

NAS-Identifier = “OpenVpn”

Acct-Session-Id = “8EA9045C3B62D32402673699DC5B79B5”

NAS-Port-Type = Sync

Executing section authorize from file

/etc/freeradius/sites-enabled/privacyidea

± entering group authorize {…}

++[preprocess] returns ok

++[digest] returns noop

[suffix] No ‘@’ in User-Name = “teddy”, looking up realm NULL

[suffix] No such realm “NULL”

++[suffix] returns noop

[ntdomain] No '' in User-Name = “teddy”, looking up realm NULL

[ntdomain] No such realm “NULL”

++[ntdomain] returns noop

[files] users: Matched entry DEFAULT at line 1

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No “known good” password found for the user. Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = Perl

Executing group from file /etc/freeradius/sites-enabled/privacyidea

± entering group Perl {…}

rlm_perl: Config File /etc/privacyIDEA/rlm_perl.ini not found!

rlm_perl: Default URL https://127.0.0.1/validate/check

rlm_perl: Looking for config for auth-type Perl

rlm_perl: Warning:

rlm_perl: Auth-Type: Perl

rlm_perl: url: https://127.0.0.1/validate/check

rlm_perl: user sent to privacyidea: teddy

rlm_perl: realm sent to privacyidea:

rlm_perl: resolver sent to privacyidea:

rlm_perl: client sent to privacyidea: 127.0.0.1

rlm_perl: state sent to privacyidea:

rlm_perl: urlparam user

rlm_perl: urlparam client

rlm_perl: urlparam pass

rlm_perl: Not verifying SSL certificate!

rlm_perl: privacyIDEA access granted

rlm_perl: return RLM_MODULE_OK

rlm_perl: Added pair Acct-Session-Id = 8EA9045C3B62D32402673699DC5B79B5

rlm_perl: Added pair NAS-Identifier = OpenVpn

rlm_perl: Added pair User-Name = teddy

rlm_perl: Added pair NAS-IP-Address = 127.0.0.1

rlm_perl: Added pair Calling-Station-Id = 172.16.114.1

rlm_perl: Added pair NAS-Port = 1

rlm_perl: Added pair NAS-Port-Type = Sync

rlm_perl: Added pair Service-Type = Outbound-User

rlm_perl: Added pair User-Password = 1234089024

rlm_perl: Added pair Reply-Message = privacyIDEA access granted

rlm_perl: Added pair Auth-Type = Perl

++[perl] returns ok

WARNING: Empty post-auth section. Using default return values.

Sending Access-Accept of id 182 to 172.16.114.139 port 60198

Reply-Message = “privacyIDEA access granted”

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Accounting-Request packet from host 172.16.114.139 port 43129,
id=36, length=126

User-Name = “teddy”

NAS-IP-Address = 127.0.0.1

NAS-Port = 1

Service-Type = Outbound-User

Framed-Protocol = PPP

Framed-IP-Address = 10.29.9.6

Calling-Station-Id = “172.16.114.1”

NAS-Identifier = “OpenVpn”

Acct-Status-Type = Start

Acct-Session-Id = “8EA9045C3B62D32402673699DC5B79B5”

NAS-Port-Type = Sync

Executing section preacct from file

/etc/freeradius/sites-enabled/privacyidea

± entering group preacct {…}

[suffix] No ‘@’ in User-Name = “teddy”, looking up realm NULL

[suffix] No such realm “NULL”

++[suffix] returns noop

++[files] returns noop

WARNING: Empty accounting section. Using default return values.

Finished request 1.

Cleaning up request 1 ID 36 with timestamp +21

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Accounting-Request packet from host 172.16.114.139 port 43233,
id=36, length=126

User-Name = “teddy”

NAS-IP-Address = 127.0.0.1

NAS-Port = 1

Service-Type = Outbound-User

Framed-Protocol = PPP

Framed-IP-Address = 10.29.9.6

Calling-Station-Id = “172.16.114.1”

NAS-Identifier = “OpenVpn”

Acct-Status-Type = Start
Acct-Session-Id = “8EA9045C3B62D32402673699DC5B79B5”
NAS-Port-Type = Sync

Executing section preacct from file

/etc/freeradius/sites-enabled/privacyidea

± entering group preacct {…}

[suffix] No ‘@’ in User-Name = “teddy”, looking up realm NULL

[suffix] No such realm “NULL”

++[suffix] returns noop

++[files] returns noop

WARNING: Empty accounting section. Using default return values.
Finished request 2.

there’s something wrong with accounting freeradius.
FYI, port 1813 has already opened.

The authentication looks also good to the freeradius plugin.

So the best way to always add OTP is to have a running setup with
passwords and then add OTP. This is easier to rule out other problems.
In you case there is a problem between the FeeeRADIUS and the OpenVPN
Plugin, that is not connected with authentication.
Without digging into it, I do not know, what this is.

Yes, you can use PAM, which is much simpler, since you do not require
the additional RADIUS server:
http://privacyidea.readthedocs.org/en/latest/application_plugins/openvpn.html

Kind regards
CorneliusAm Samstag, den 19.09.2015, 23:02 -0700 schrieb Teddy Azta:

    Hi Jochen and Cornelius,

I’ve tried jochen suggested. but it still gets some erros about
accounting.

here is my openvpn.log :

Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: FOREGROUND:
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY is called.

Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: FOREGROUND: Key:
172.16.114.1:57634.

Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user
from OpenVPN!

Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user.

Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user:
username: teddy, password: *****, newuser ip: 172.16.114.1, newuser
port: 57634 .

Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: BACKGROUND AUTH: New user
auth: username: teddy, password: *****, calling station: 172.16.114.1,
commonname: client_vpnuin.

Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: radius_server().

Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: Build password packet:
password: *****, sharedSecret: *****.

Sun Sep 20 12:25:38 2015 RADIUS-PLUGIN: Send packet to 172.16.114.139.

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: Get ACCESS_ACCEPT-Packet.

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: parse_response_packet().

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND AUTH: routes: .

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND AUTH: framed ip: .

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: No attributes Acct Interim
Interval or bad length.

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND AUTH: Acct Interim
Interval: 0.

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND AUTH:
Reply-Message:privacyIDEA access granted

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: Client config file was not
written, overwriteccfiles is false

.Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND AUTH: Auth
succeeded in radius_server().

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND THREAD:
Authentication succeeded!

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Received
routes for user: .

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Received
framed ip for user: .

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Receive
acctinteriminterval 0 sec from backgroundprocess.

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Add user to
map.

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Waiting for
new user.

Sun Sep 20 12:25:39 2015 us=280747 172.16.114.1:57634 PLUGIN_CALL:
POST /usr/lib/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY
status=0

Sun Sep 20 12:25:39 2015 us=280790 172.16.114.1:57634 TLS:
Username/Password authentication succeeded for username ‘teddy’

Sun Sep 20 12:25:39 2015 us=280926 172.16.114.1:57634 Data Channel
Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key

Sun Sep 20 12:25:39 2015 us=280941 172.16.114.1:57634 Data Channel
Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication

Sun Sep 20 12:25:39 2015 us=280989 172.16.114.1:57634 Data Channel
Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key

Sun Sep 20 12:25:39 2015 us=281000 172.16.114.1:57634 Data Channel
Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication

Sun Sep 20 12:25:39 2015 us=281047 172.16.114.1:57634 UDPv4 WRITE
[126] to [AF_INET]172.16.114.1:57634: P_CONTROL_V1 kid=0 [ 39 ] pid=38
DATA len=100

Sun Sep 20 12:25:39 2015 us=281375 172.16.114.1:57634 UDPv4 WRITE
[114] to [AF_INET]172.16.114.1:57634: P_CONTROL_V1 kid=0 pid=39
DATA len=100

Sun Sep 20 12:25:39 2015 us=281693 172.16.114.1:57634 UDPv4 WRITE [80]
to [AF_INET]172.16.114.1:57634: P_CONTROL_V1 kid=0 pid=40 DATA
len=66

Sun Sep 20 12:25:39 2015 us=281850 172.16.114.1:57634 UDPv4 READ [22]
from [AF_INET]172.16.114.1:57634: P_ACK_V1 kid=0 [ 38 ]

Sun Sep 20 12:25:39 2015 us=281879 172.16.114.1:57634 UDPv4 READ [22]
from [AF_INET]172.16.114.1:57634: P_ACK_V1 kid=0 [ 39 ]

Sun Sep 20 12:25:39 2015 us=282776 172.16.114.1:57634 UDPv4 READ [22]
from [AF_INET]172.16.114.1:57634: P_ACK_V1 kid=0 [ 40 ]

Sun Sep 20 12:25:39 2015 us=282878 172.16.114.1:57634 Control Channel:
TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Sun Sep 20 12:25:39 2015 us=282948 172.16.114.1:57634 [client_vpnuin]
Peer Connection Initiated with [AF_INET]172.16.114.1:57634

Sun Sep 20 12:25:39 2015 us=282993 client_vpnuin/172.16.114.1:57634
MULTI_sva: pool returned IPv4=10.29.9.6, IPv6=(Not enabled)

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND:
OPENVPN_PLUGIN_CLIENT_CONNECT is called.

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND: Key:
172.16.114.1:57634.

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to
the IP (10.29.9.6) OpenVPN assigned to the user teddy

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: FOREGROUND: Add user for
accounting: username: teddy, commonname: client_vpnuin

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND ACCT: Get a
command.

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND ACCT: New User.

Sun Sep 20 12:25:39 2015 RADIUS-PLUGIN: BACKGROUND ACCT: New user
acct: username: teddy, interval: 0, calling station: 172.16.114.1,
commonname: client_vpnuin, framed ip: 10.29.9.6.

Sun Sep 20 12:25:40 2015 RADIUS-PLUGIN: BACKGROUND ACCT: Error: Start
packet couldn’t send.

!

Sun Sep 20 12:25:40 2015 Error: RADIUS-PLUGIN: FOREGROUND: Accounting
failed for user:teddy!

Sun Sep 20 12:25:40 2015 us=286320 client_vpnuin/172.16.114.1:57634
PLUGIN_CALL:
POST /usr/lib/openvpn/radiusplugin.so/PLUGIN_CLIENT_CONNECT status=1

Sun Sep 20 12:25:40 2015 us=286339 client_vpnuin/172.16.114.1:57634
PLUGIN_CALL: plugin function PLUGIN_CLIENT_CONNECT failed with status
1: /usr/lib/openvpn/radiusplugin.so

Sun Sep 20 12:25:40 2015 us=286354 client_vpnuin/172.16.114.1:57634
WARNING: client-connect plugin call failed

Sun Sep 20 12:25:41 2015 us=787447 client_vpnuin/172.16.114.1:57634
UDPv4 READ [104] from [AF_INET]172.16.114.1:57634: P_CONTROL_V1 kid=0
pid=40 DATA len=90

Sun Sep 20 12:25:41 2015 us=787612 client_vpnuin/172.16.114.1:57634
PUSH: Received control message: ‘PUSH_REQUEST’

Sun Sep 20 12:25:41 2015 us=787671 client_vpnuin/172.16.114.1:57634
Delayed exit in 5 seconds

Sun Sep 20 12:25:41 2015 us=787723 client_vpnuin/172.16.114.1:57634
SENT CONTROL [client_vpnuin]: ‘AUTH_FAILED’ (status=1)

Sun Sep 20 12:25:41 2015 us=787767 client_vpnuin/172.16.114.1:57634
UDPv4 WRITE [22] to [AF_INET]172.16.114.1:57634: P_ACK_V1 kid=0 [ 40 ]

Sun Sep 20 12:25:41 2015 us=788111 client_vpnuin/172.16.114.1:57634
UDPv4 WRITE [104] to [AF_INET]172.16.114.1:57634: P_CONTROL_V1 kid=0
pid=41 DATA len=90

Sun Sep 20 12:25:43 2015 us=890129 client_vpnuin/172.16.114.1:57634
UDPv4 WRITE [104] to [AF_INET]172.16.114.1:57634: P_CONTROL_V1 kid=0
pid=41 DATA len=90

Sun Sep 20 12:25:46 2015 us=994014 client_vpnuin/172.16.114.1:57634
SIGTERM[soft,delayed-exit] received, client-instance exiting

it still error at ACCT.

yes, i did cornelius. so when i use openvpn-pam plugin, i don’t need
freeradius anymore, isn’t it ?

my purpose is to authenticate the openvpn with otp like privacyidea,
and i stuck at this errors

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/eb4c6882-27c0-4df1-a835-0519f305506a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Jochen,

i tried to following your suggestions and now my server works !

i should add “detail” in accounting at /sites-enabled and /sites-available

anyway, thank you so much.

Hi Jochen, hi Teddy,

I will add “detail” to the default accounting.

THanks a lot and kind regards
CorneliusAm Samstag, den 19.09.2015, 23:59 -0700 schrieb Teddy Azta:

    Hi Jochen.

Thank you so much, i’ve tried your suggestions and my server works
now !
i found that problem is in /sites-available and /sites-enabled i
should add “detail” in accounting.

anyway, thanks buddy, you save my life

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/2bdd797a-2157-4d4c-8e17-f759804c00d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello Cornelius,

Cornelius Kölbel cornelius.koelbel@netknights.it writes:

Yes, you can use PAM, which is much simpler, since you do not require
the additional RADIUS server:
OTP with OpenVPN — privacyIDEA 3.8 documentation

This page is not referenced from
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html
Is this intentional?

If you are interested I can add documentation about the RADIUS
cofigration to openvpn.html - both direct and via PAM.

My internet accessible machine runs Debian stable and I really prefer to
run only Debian packages on the host - so using privacyidea_pam.py is
not what I want. And I ran RADIUS already years ago and was quite happy.
So I did try both openvpn->radius and openvpn->pam->radius and have both
working.

And while we are talking about RADIUS:,----
| rlm_perl: Config File /etc/privacyIDEA/rlm_perl.ini not found!
`----

In your packages you use /etc/privacyidea in lowercase and in
privacyidea_radius.pm line 92 and 198 you refer to
/opt/privacyIDEA/rlm_perl.ini. It might be hard to update existing
documenation and installations automatically, but I’d prefer to use
/etc/privacyidea/rlm_perl.ini as the config file.

Jochen

–
The only problem with troubleshooting is that the trouble shoots back.

Hi Jochen,

Hello Cornelius,

Cornelius Kölbel <@cornelinux> writes:

Yes, you can use PAM, which is much simpler, since you do not require
the additional RADIUS server:
OTP with OpenVPN — privacyIDEA 3.8 documentation

This page is not referenced from
14. Application Plugins — privacyIDEA 3.8 documentation
Is this intentional?

No, it is just missing.

If you are interested I can add documentation about the RADIUS
cofigration to openvpn.html - both direct and via PAM.

This would be great. Any input is appreciated. Do it your preferred way.

My internet accessible machine runs Debian stable and I really prefer to
run only Debian packages on the host - so using privacyidea_pam.py is
not what I want. And I ran RADIUS already years ago and was quite happy.
So I did try both openvpn->radius and openvpn->pam->radius and have both
working.

And while we are talking about RADIUS:

,----
| rlm_perl: Config File /etc/privacyIDEA/rlm_perl.ini not found!
`----

In your packages you use /etc/privacyidea in lowercase and in
privacyidea_radius.pm line 92 and 198 you refer to
/opt/privacyIDEA/rlm_perl.ini. It might be hard to update existing
documenation and installations automatically, but I’d prefer to use
/etc/privacyidea/rlm_perl.ini as the config file.

Again, you are totally right.
I also though about moving the file to the /etc directory.

Thanks a lot and kind regards
CorneliusAm Montag, den 21.09.2015, 23:10 +0200 schrieb Jochen Hein:

Jochen

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)