Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1054
Views
10
Helpful
3
Replies

OpenVPN user authentication via RADIUS

Go to solution
Yaro7619
Level 1
Level 1

‎03-24-2020 03:43 AM - edited ‎03-24-2020 03:44 AM

Hello.

I have successfully configured OpenVPN server and routing rules on my RV260. There is an option to authenticate users on RADIUS server in this router. So I prepared a configuration on my RADIUS server, and turned on Remote Authentication Service on the router. It seems that the client is successfully authenticated on RADIUS server:

 

"NPS granted the user full access because the host met the defined policies."

 

However the router claims that it is not. Here is a part of the router's log:

2020-03-24T09:53:08+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 SIGTERM[soft,delayed-exit] received, client-instance exiting
2020-03-24T09:53:03+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 SENT CONTROL [Cert Signed By Self CA]: 'AUTH_FAILED' (status=1)
2020-03-24T09:53:03+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 Delayed exit in 5 seconds
2020-03-24T09:53:03+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 PUSH: Received control message: 'PUSH_REQUEST'
2020-03-24T09:53:02+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 [Cert Signed By Self CA] Peer Connection Initiated with [AF_INET]ROUTER_PUBLIC_ADDRESS:57541
2020-03-24T09:53:02+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2020-03-24T09:53:02+00:00 <error>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 TLS Auth Error: Auth Username/Password verification failed for peer
2020-03-24T09:53:02+00:00 <warning>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
2020-03-24T09:53:02+00:00 <notice>openvpn(global): ROUTER_PUBLIC_ADDRESS:57541 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2020-03-24T09:53:02+00:00 <error>openvpn: Localdb:authorization failed as group is NULL
2020-03-24T09:53:02+00:00 <error>openvpn: PAM _pam_init_handlers: no default config /etc/pam.d/other

Any clue?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎03-24-2020 04:33 AM

 

 Ref : https://community.cisco.com/t5/small-business-routers/rv340w-radius-authentication-failing-after-firmware-update/td-p/3887855

              - The passage from Mr. Gannet 

 

Following input from Cisco Support, the RADIUS Server client needs to return an additional Attribute 'Class', the value of which needs to correspond to a User Group defined in the Router UI.

eg: Class=admin

 

This caused a further headache for us because our RADIUS Server doesn't support sending attributes back.  We have had to use Windows Servers' built in RADIUS Server to forward the request on to our existing provider and append the relevant attribute to the reply.

 

I have to say this - please can this stuff be documented somewhere?!  We've lost countless hours to this - as have Cisco support having to reproduce and get us the answer.

M.

 



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

3 Replies 3

Go to solution
marce1000
VIP
VIP

‎03-24-2020 04:33 AM

 

 Ref : https://community.cisco.com/t5/small-business-routers/rv340w-radius-authentication-failing-after-firmware-update/td-p/3887855

              - The passage from Mr. Gannet 

 

Following input from Cisco Support, the RADIUS Server client needs to return an additional Attribute 'Class', the value of which needs to correspond to a User Group defined in the Router UI.

eg: Class=admin

 

This caused a further headache for us because our RADIUS Server doesn't support sending attributes back.  We have had to use Windows Servers' built in RADIUS Server to forward the request on to our existing provider and append the relevant attribute to the reply.

 

I have to say this - please can this stuff be documented somewhere?!  We've lost countless hours to this - as have Cisco support having to reproduce and get us the answer.

M.

 



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Go to solution
Yaro7619
Level 1
Level 1
In response to marce1000

‎03-24-2020 06:38 AM

You saved me a lot of time. Thanks a lot.
After adding this attribute, authentication works fine.
0 Helpful

Go to solution
marce1000
VIP
VIP
In response to Yaro7619

‎03-24-2020 08:59 AM

 

 - Glad to help.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful
Customers Also Viewed These Support Documents