Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - sfty1

Pages: [1]

General Discussion / Multifactor + Radius Auth?

« on: November 12, 2021, 03:31:59 pm »

Hi,

how is it possible to authenticate against a radius server that requires multifactor OTP or smartphone app approval?
I'm currently in a setup, where RSA multifactor is required, but the radius always rejects the authentication.
It seems that a special OTP feature within the radius protocol is required. In the worst case it would be also possible to choose another multifactor solution than RSA. But each time when I google for opnsense radius mfa I'm getting instructions how to enable MFA with the local user database on OPNsense. But I have to authenticate agains the active directory. The bad thing is, that die Radius server is not automatically asking the MFA application on the smartphone, but requiring the OTP somehow delivered via the protocol from OPNsense.

Any help is much appreciated.
Thanks a lot.

General Discussion / Resolved: OpenVPN DNS not pushed

« on: March 19, 2020, 04:58:25 pm »

Hello,

I always used the setup with "Redirect Gateway", which pushed the DNS of the OPNsense to the clients.
Now I'm trying to change this, because I don't like all traffic going over the gateway, except of the internal services.

But when I untick the box "Redirect Gateway", the DNS is not pushed to the clients. So they cannot reach the internal service names. I also tried to put push "dhcp-option DNS 10.0.0.1" to the advanced options, but it doesn't help.

All internal services are reachable via IP and the firewall + unbound is correctly configured. When I use dig with @ from the client, I can resolve the internal addresses. But it's not pushed to the /etc/resolv.conf

Any hints?

Thank you very much.

19.1 Legacy Series / OPNsense<->AWS VPC ipsec VPN

« on: June 24, 2019, 02:14:42 pm »

Hi,

I'm running multiple tunnels to AWS via IPSEC.

But the problem is, that the connection drops after ~one day.
It's never coming back before I restart it manually.

I'm not able to see the log, because it's too short...

The value for "Automatically ping host" is set to a IP within the AWS VPC and the local IP for the OPNsense box is part of the local network.

See the screenshots in the attachment for parameters.

19.1 Legacy Series / Multiple Radius Server for OpenVPN

« on: June 04, 2019, 04:57:53 pm »

Hi,

authentication trough radius server is working fine. I have two Microsoft NPS attached, for the case, when one goes down.

Now I tested to deactivate the first Radius server. The problem is, that OpenVPN is still waiting for the first Radius Server, forever. It's not asking the second one. Only when the first Radius Server is rejecting the access, the second one will be asked. But I like to use this in a HA Scenario.

Any clue?

config:

Code: [Select]

auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Active Directory RADIUS DC1,Active Directory Radius DC2,Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls ‘my+company+OpenVPN+Server' 1"

thanks

19.1 Legacy Series / [SOLVED] Client Specific Overrides + Radius Auth + OpenVPN

« on: May 20, 2019, 09:47:39 am »

Hi,
i'm struggling with static IPs via CCD in an openvpn+radius setup.
I tried to use the username as common name, but when i add an override via the GUI, there is NO file created in the CCD directory. Can this be a bug?

Code: [Select]

dev ovpns3
verb 4
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-server
cipher AES-256-CBC
auth SHA256
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
engine rdrand
client-disconnect "/usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh server3"
tls-server
server 10.69.14.0 255.255.254.0
client-config-dir /var/etc/openvpn-csc/3
verify-client-cert none
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Active Directory RADIUS,Active Directory Radius DC2,Local Database' 'false' 'server3'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'safety+io+OpenVPN+Server' 1"
lport 443
management /var/etc/openvpn/server3.sock unix
max-clients 500
push "route 10.69.0.0 255.255.240.0"
push "dhcp-option DOMAIN mydomain.local"
push "dhcp-option DNS 10.69.14.1"
push "redirect-gateway def1"
client-to-client
duplicate-cn
route 10.69.0.0 255.255.252.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /usr/local/etc/dh-parameters.2048.sample
tls-auth /var/etc/openvpn/server3.tls-auth 0
comp-lzo no
persist-remote-ip
float
reneg-sec 0

Update: When I manually create a file with my username, it's working. But from the GUI there is absolutly no effect.

19.1 Legacy Series / webgui cannot edit / enable dnsmasq

« on: February 14, 2019, 11:22:13 am »

Hi,

when i enable or change some settings, everything is lost, after hitting the save button. Debug output says:

Code: [Select]

[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Illegal string offset 'enable' in /usr/local/www/services_dnsmasq.php on line 85
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Illegal string offset 'regdhcp' in /usr/local/www/services_dnsmasq.php on line 86
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 86
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Illegal string offset 'regdhcpstatic' in /usr/local/www/services_dnsmasq.php on line 87
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 87
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Illegal string offset 'dhcpfirst' in /usr/local/www/services_dnsmasq.php on line 88
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 88
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Illegal string offset 'strict_order' in /usr/local/www/services_dnsmasq.php on line 89
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 89
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Illegal string offset 'domain_needed' in /usr/local/www/services_dnsmasq.php on line 90
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 90
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Illegal string offset 'no_private_reverse' in /usr/local/www/services_dnsmasq.php on line 91
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 91
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Illegal string offset 'strictbind' in /usr/local/www/services_dnsmasq.php on line 92
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 92
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Illegal string offset 'dnssec' in /usr/local/www/services_dnsmasq.php on line 93
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 93
[14-Feb-2019 09:55:03 Europe/Berlin] PHP Warning:  Illegal string offset 'interface' in /usr/local/www/services_dnsmasq.php on line 100
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Illegal string offset 'enable' in /usr/local/www/services_dnsmasq.php on line 85
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Illegal string offset 'regdhcp' in /usr/local/www/services_dnsmasq.php on line 86
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 86
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Illegal string offset 'regdhcpstatic' in /usr/local/www/services_dnsmasq.php on line 87
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 87
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Illegal string offset 'dhcpfirst' in /usr/local/www/services_dnsmasq.php on line 88
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 88
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Illegal string offset 'strict_order' in /usr/local/www/services_dnsmasq.php on line 89
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 89
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Illegal string offset 'domain_needed' in /usr/local/www/services_dnsmasq.php on line 90
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 90
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Illegal string offset 'no_private_reverse' in /usr/local/www/services_dnsmasq.php on line 91
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 91
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Illegal string offset 'strictbind' in /usr/local/www/services_dnsmasq.php on line 92
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 92
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Illegal string offset 'dnssec' in /usr/local/www/services_dnsmasq.php on line 93
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Cannot assign an empty string to a string offset in /usr/local/www/services_dnsmasq.php on line 93
[14-Feb-2019 09:55:14 Europe/Berlin] PHP Warning:  Illegal string offset 'interface' in /usr/local/www/services_dnsmasq.php on line 100

can this be a bug?
thank you very much.

FreeBSD 11.2-RELEASE-p8-HBSD 31af16db12b(stable/19.1) amd64
OPNsense 19.1.1 35cd081ca
Plugins os-dyndns-1.12_1
Time Thu, 14 Feb 2019 11:20:23 +0100
OpenSSL 1.0.2q 20 Nov 2018
PHP 7.1.26

Pages: [1]