What configuration file does ocserv read for PAM settings?

Tony Zhou tonytzhou at gmail.com
Thu Nov 14 07:13:04 EST 2013


Hi Nikos,

pam_unix works for authentication. I suppose it could be an issue with 
the PAM module of RADIUS... Here's the log when I am trying to connect 
from Android client.

Basically what it does is keep asking password (as if the password input 
is wrong).

Nov 14 21:05:40 hostname ocserv[12711]: [main] initialized ocserv 0.2.1
Nov 14 21:05:40 hostname ocserv[12712]: sec-mod initialized (socket: 
/var/run/ocserv-socket.12711)
Nov 14 21:05:47 hostname ocserv[12713]: [client.ip.addr]:61542 accepted 
connection
Nov 14 21:05:48 hostname ocserv[12713]: GnuTLS error (at 
worker-vpn.c:546): A TLS fatal alert has been received.: Unknown certificate
Nov 14 21:05:48 hostname ocserv[12711]: [client.ip.addr]:61542 command 
socket closed
Nov 14 21:05:51 hostname ocserv[12714]: [client.ip.addr]:61768 accepted 
connection
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 TLS 
handshake completed
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
User-Agent: AnyConnect Android 3.0.09242
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Host: server.ip.addr
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Accept: */*
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Accept-Encoding: identity
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-Transcend-Version: 1
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-Transcend-Version: 1
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-ClientVersion: 3.0.09242
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-Platform: android
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-PlatformVersion: 4.3.1
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-DeviceType: MOTO MB526
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-Device-UniqueID: 
3204AC2774689BF3BF1E47338D943701D0A46DA2
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-Aggregate-Auth: 1
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Connection: close
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Content-Length: 318
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Content-Type: application/x-www-form-urlencoded
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP POST /
Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 POST 
body: '<?xml version="1.0" encoding="UTF-8"?>#012<config-auth 
client="vpn" type="init">#012<device-id platform-version="4.3.1" 
device-type="MOTO MB526" 
unique-id="3204AC2774689BF3BF1E47338D943701D0A46DA2">android</device-id>#012<version 
who="vpn">3.0.09242</version>#012<group-access>https://server.ip.addr</group-access>#012</config-auth>#012'
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
User-Agent: AnyConnect Android 3.0.09242
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Host: server.ip.addr
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Accept: */*
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Accept-Encoding: identity
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-Transcend-Version: 1
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-Transcend-Version: 1
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-ClientVersion: 3.0.09242
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-Platform: android
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-PlatformVersion: 4.3.1
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-DeviceType: MOTO MB526
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-Device-UniqueID: 
3204AC2774689BF3BF1E47338D943701D0A46DA2
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-Aggregate-Auth: 1
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Content-Length: 13
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Content-Type: application/x-www-form-urlencoded
Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP POST 
/auth
Nov 14 21:05:55 hostname ocserv[12711]: [client.ip.addr]:61768 auth init 
for user 'tony' from '[client.ip.addr]:61768'
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
User-Agent: AnyConnect Android 3.0.09242
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Host: server.ip.addr
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Accept: */*
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Accept-Encoding: identity
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-Transcend-Version: 1
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-Transcend-Version: 1
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-ClientVersion: 3.0.09242
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-Platform: android
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-PlatformVersion: 4.3.1
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-DeviceType: MOTO MB526
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-Device-UniqueID: 
3204AC2774689BF3BF1E47338D943701D0A46DA2
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-Aggregate-Auth: 1
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Content-Length: 22
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Content-Type: application/x-www-form-urlencoded
Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP POST 
/auth
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
User-Agent: AnyConnect Android 3.0.09242
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Host: server.ip.addr
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Accept: */*
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Accept-Encoding: identity
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-Transcend-Version: 1
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-Transcend-Version: 1
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-ClientVersion: 3.0.09242
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-Platform: android
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-PlatformVersion: 4.3.1
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-DeviceType: MOTO MB526
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-AnyConnect-Identifier-Device-UniqueID: 
3204AC2774689BF3BF1E47338D943701D0A46DA2
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
X-Aggregate-Auth: 1
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Content-Length: 22
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: 
Content-Type: application/x-www-form-urlencoded
Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP POST 
/auth
Nov 14 21:06:31 hostname ocserv[12711]: [client.ip.addr]:61768 command 
socket closed
Nov 14 21:06:31 hostname ocserv[12711]: [client.ip.addr]:61768 auth 
deinit for user 'tony'

And here's the ocserv.conf just in case:
# User authentication method. Could be set multiple times and in
# that case all should succeed. To enable multiple methods use
# multiple auth directives. Available options: certificate, plain, pam.
auth = "pam"

# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname:encoded-password"
# One entry must be listed per line, and ’ocpasswd’ can be used
# to generate password entries.
#auth = "plain[/etc/ocserv/ocserv-passwd]"

# A banner to be displayed on clients
banner = "Welcome to OpenConnect Server"

# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
listen-host = 0.0.0.0

# Limit the number of clients. Unset or set to zero for unlimited.
max-clients = 16

# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100

# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2

# TCP and UDP port number
tcp-port = 443
udp-port = 443

# Keepalive in seconds
keepalive = 32400

# Dead peer detection in seconds
dpd = 240

# MTU discovery (DPD must be enabled)
try-mtu-discovery = false

# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ssl/certs/somecert.pem
server-key = /etc/ssl/private/somekey.key

# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem

# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile 
response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der

# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt

# The Certificate Authority that will be used
# to verify clients if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem

# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate’s DN
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1

# The object identifier that will be used to read the user group in the
# client certificate. The object identifier should be part of the 
certificate’s
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11

# The revocation list of the certificates issued by the ’ca-cert’ above.
#crl = /path/to/crl.pem

# GnuTLS priority string
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"

# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"

# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40

# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2

# Cookie validity time (in seconds)
# Once a client is authenticated he’s provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 172800

# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript

# UTMP
use-utmp = true

# PID file
pid-file = /var/run/ocserv.pid

# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot

# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket

# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = nogroup

#
# Network settings
#

# The name of the tun device
device = vpns

# The default domain to be advertised
default-domain = example.com

# The pool of addresses that leases will be given from.
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0

# The DNS advertized server
# Use the keywork local to advertize the local P-t-P address as DNS server
# ipv4-dns = local
ipv4-dns = 8.8.8.8

# The NBNS server (if any)
#ipv4-nbns = 192.168.1.3

# The same, but for IPv6.
#ipv6-network =
#ipv6-dns =
#ipv6-nbns =

# The IPv6 subnet prefix
#ipv6-prefix =

# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false

# Unset to assign the default MTU of the device
# mtu =

# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000

# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
output-buffer = 10

# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the connect
# and disconnect scripts.
route = 192.168.1.0/255.255.255.0

# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are ipv?-dns, ipv?-nbns,
# ipv?-network, ipv?-netmask, ipv6-prefix, rx/tx-per-sec, iroute and route.
#
# Note that the ’iroute’ option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below).

#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/

# The system command to use to setup a route. %R will be replaced with the
# route/mask and %D with the (tun) device.
#
# The following example is from linux systems. %R should be something
# like 192.168.2.0/24

#route-add-cmd = "ip route add %R dev %D"
#route-del-cmd = "ip route delete %R dev %D"

#
# The following options are for (experimental) AnyConnect client
# compatibility.

# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker’s chroot.
# It is not used by the openconnect client.
user-profile = /etc/ocserv/profile.xml

# Binary files that may be downloaded by the CISCO client. Must
# be within any chroot environment.
#binary-files = /path/to/binaries

# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
always-require-cert = false

Actually I tried with several clients, and even if the authentication 
works, none of them can successfully create a VPN connection...but 
that's another topic.

Thanks,
TZ


On 11/14/2013 4:54 AM, Nikos Mavrogiannopoulos wrote:
> On Thu, Nov 14, 2013 at 2:41 AM, Tony Zhou <tonytzhou at gmail.com> wrote:
>> Hi,
>> I am trying to set ocserv up for RADIUS, and I am happy to find out that
>> ocserv supports PAM, so I wrote a /etc/pam.d/ocserv like this:
>> auth    required        /lib/security/pam_radius_auth.so
>> ...But unfortunately it seems ocserv does not like this. What file does it
>> read?
>
> ocserv is the pam name. However, I'd suggest to do the following:
> 1. try a simple PAM module (e.g. unix passwords). Does it work? If not
> send the debugging output of ocserv.
>
> 2. If (1) works try with pam_radius_auth. Do it now work? If not send
> the debugging output of ocserv.
>
> regards,
> Nikos
>



More information about the openconnect-devel mailing list