OPNsense Forum
English Forums => Virtual private networks => Topic started by: klaas on April 07, 2021, 03:43:59 pm
-
Hi,
I have a problem with the Windows 10 OpenVPN client.
I have two OpenVPN servers setup in my OPNsense firewall.
The first OpenVPN server is using the internal user database and this works fine with the Windows 10 OpenVPN client.
The other OpenVPN server is using the OPNsense freeradius plug and cannot authenticate. See OPNsense freeradius plugin debug output below.
In this thread I have installed the patch for 21.1.4, https://forum.opnsense.org/index.php?topic=22387.0
But as you can see the password is still completely garbled:
(0) Received Access-Request Id 91 from 127.0.0.1:27719 to 127.0.0.1:1812 length 88
(0) User-Name = "testuser1"
(0) Service-Type = Login-User
(0) Framed-Protocol = 15
(0) NAS-Identifier = "60436b3466861"
(0) NAS-Port = 0
(0) NAS-Port-Type = Ethernet
(0) User-Password = "\321\001D\030\371hS:)\342\357{D\033<CD><8C>"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry testuser1 at line 2
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: ERROR: Cleartext password does not match "known good" password
(0) pap: Passwords don't match
(0) [pap] = reject
(0) } # Auth-Type PAP = reject
(0) Failed to authenticate the user
(0) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> testuser1
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Login incorrect (pap: Cleartext password does not match "known good" password): [testuser1/??D??hS:)??{D?<CD><8C>] (from client FreeRadius_local port 0)
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:27719 length 20
Waking up in 3.9 seconds.
(0) Sending duplicate reply to client FreeRadius_local port 27719 - ID: 91
Waking up in 8.9 seconds.
(0) Sending duplicate reply to client FreeRadius_local port 27719 - ID: 91
Waking up in 18.9 seconds.
(0) Cleaning up request packet ID 91 with timestamp +173