Hi!
We're trying to use a script-generated username as well as an
script-generated auth-token and pushing them to the client from a
client connect script (2.5.5 on the client in this case, 2.6.3 on the
server), like this:
auth-token-user {authtoken_username_b64}
push "auth-token-user {authtoken_username_b64}"
# just making clear it's base64
push "auth-token {authtoken}"
On initial username/password authentication this "works":
May 5 09:04:07 openvpn-gw170-int openvpn-udp[29574]:
hildeb/10.31.192.115:55334 SENT CONTROL [hildeb]: 'PUSH_REPLY,dhcp-option DNS
our.d.n.s,dhcp-option DOMAIN charite.de,route-gateway 172.29.0.1,topology
subnet,ping 10,ping-restart 30,routes,lots,of,routes,compress
stub,register-dns,block-outside-dns,auth-token-user
aGlsZGViOjoxZjA0N2ZiNg==,auth-token,ifconfig 172.29.0.2 255.255.248.0,peer-id
0,cipher AES-256-GCM' (status=1)
then the client renegotiates after 2 Minutes and we're seeing:
May 5 09:06:00 openvpn-gw170-int openvpn-udp[29574]:
hildeb/10.31.192.115:55334 TLS Auth Error: username attempted to change from
'hildeb' to 'hildeb::1f047fb6' -- tunnel disabled
May 5 09:06:00 openvpn-gw170-int openvpn-udp[29574]:
hildeb/10.31.192.115:55334 TLS Auth Error: Auth Username/Password verification
failed for peer
What do we have to do to make the server accept the the
auth-token-user it pushed to the client?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
[email protected]
https://www.charite.de
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
