Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1361
Views
10
Helpful
3
Replies

OpenVPN user authentication via RADIUS

Go to solution
Yaro7619
Level 1
Level 1

‎03-24-2020 03:43 AM - edited ‎03-24-2020 03:44 AM

Hello.

I have successfully configured OpenVPN server and routing rules on my RV260. There is an option to authenticate users on RADIUS server in this router. So I prepared a configuration on my RADIUS server, and turned on Remote Authentication Service on the router. It seems that the client is successfully authenticated on RADIUS server:

 

"NPS granted the user full access because the host met the defined policies."

 

However the router claims that it is not. Here is a part of the router's log:

2020-03-24T09:53:08+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 SIGTERM[soft,delayed-exit] received, client-instance exiting
2020-03-24T09:53:03+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 SENT CONTROL [Cert Signed By Self CA]: 'AUTH_FAILED' (status=1)
2020-03-24T09:53:03+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 Delayed exit in 5 seconds
2020-03-24T09:53:03+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 PUSH: Received control message: 'PUSH_REQUEST'
2020-03-24T09:53:02+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 [Cert Signed By Self CA] Peer Connection Initiated with [AF_INET]ROUTER_PUBLIC_ADDRESS:57541
2020-03-24T09:53:02+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2020-03-24T09:53:02+00:00 <error>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 TLS Auth Error: Auth Username/Password verification failed for peer
2020-03-24T09:53:02+00:00 <warning>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
2020-03-24T09:53:02+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2020-03-24T09:53:02+00:00 <error>openvpn: Localdb:authorization failed as group is NULL
2020-03-24T09:53:02+00:00 <error>openvpn: PAM _pam_init_handlers: no default config /etc/pam.d/other

Any clue?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎03-24-2020 04:33 AM

 

 Ref : https://community.cisco.com/t5/small-business-routers/rv340w-radius-authentication-failing-after-firmware-update/td-p/3887855

              - The passage from Mr. Gannet 

 

Following input from Cisco Support, the RADIUS Server client needs to return an additional Attribute 'Class', the value of which needs to correspond to a User Group defined in the Router UI.

eg: Class=admin

 

This caused a further headache for us because our RADIUS Server doesn't support sending attributes back.  We have had to use Windows Servers' built in RADIUS Server to forward the request on to our existing provider and append the relevant attribute to the reply.

 

I have to say this - please can this stuff be documented somewhere?!  We've lost countless hours to this - as have Cisco support having to reproduce and get us the answer.

M.

 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

3 Replies 3

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎03-24-2020 04:33 AM

 

 Ref : https://community.cisco.com/t5/small-business-routers/rv340w-radius-authentication-failing-after-firmware-update/td-p/3887855

              - The passage from Mr. Gannet 

 

Following input from Cisco Support, the RADIUS Server client needs to return an additional Attribute 'Class', the value of which needs to correspond to a User Group defined in the Router UI.

eg: Class=admin

 

This caused a further headache for us because our RADIUS Server doesn't support sending attributes back.  We have had to use Windows Servers' built in RADIUS Server to forward the request on to our existing provider and append the relevant attribute to the reply.

 

I have to say this - please can this stuff be documented somewhere?!  We've lost countless hours to this - as have Cisco support having to reproduce and get us the answer.

M.

 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Yaro7619
Level 1
Level 1
In response to marce1000

‎03-24-2020 06:38 AM

You saved me a lot of time. Thanks a lot.
After adding this attribute, authentication works fine.
0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to Yaro7619

‎03-24-2020 08:59 AM

 

 - Glad to help.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Top