Hi,
Copying openvpn-devel as this is more about openvpn server than the GUI.
On Thu, Nov 3, 2016 at 7:23 PM, roberthunt-dm <notificati...@github.com>
wrote:
> I am trying to get OpenVPN working with a Radius server configured to send
> an access_challenge for an otp code it dynamically generates.
>
> (server) openvpn server 2.3.2-7ubuntu3.1
> (client) Openvpn-gui-cr.exe
>
The big question mark for me is how pam_radius_auth interacts with Openvpn.
>
> Logs show that the plugin is receiving the code 11 access_challenge from
> the radius server:
>
> Nov 3 15:30:21 openvpn openvpn[10910]: pam_radius_auth: Got user name
> xxxxxx
> Nov 3 15:30:21 openvpn openvpn[10910]: pam_radius_auth: Sending RADIUS
> request code 1
> Nov 3 15:30:21 openvpn openvpn[10910]: pam_radius_auth: Got RADIUS
> response code 11
> Nov 3 15:30:21 openvpn openvpn[10910]: pam_radius_auth: Got response to
> challenge code 11
> Nov 3 15:30:21 openvpn openvpn[10910]: pam_radius_auth: Got response to
> challenge code 3
> Nov 3 15:30:21 openvpn openvpn[10910]: pam_radius_auth: authentication
> failed
>
> However I don't see any pop-up box on the OpenVPN client prompting for the
> OTP code.
>
You have to send the authentication failed message with a specially
formatted reason back to the client. For example. reason =
CRV1:R,E:some_id:base64_username:Input OTP code will cause the server to
send AUTH_FAILED followed by that reason back to the client. The client
will then prompt for a second round of authentication and the GUI will
parse the failure reason and prompt for OTP.
Client log will show what kind of AUTH_FAILED message is received from the
server.
For details of the message format see "Challenge/Response protocol"
description here: https://openvpn.net/index.php/
open-source/documentation/miscellaneous/79-management-interface.html
> On the radius server, for the 2nd access request message (in response to
> the access_challenge) - openvpn is just sending the same original
> access_request message. The radius server then rejects access.
>
> Do I need to modify pam_radius_auth to send messages in a special format
> to openvpn? I'm using this from here: https://github.com/FreeRADIUS/
> pam_radius/blob/master/src/pam_radius_auth.c
>
As far as I know the only way to send back a specially crafted reason for
auth failure is using the management interface for authentication
(--management-client-auth in the server config). But I don't know enough
about the plugin api to know if and how this could be achieved using a
plugin.
Selva
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
