Problem getting ocserv work with Freeradius

Marko beylow at gmail.com
Fri Dec 26 11:42:55 PST 2014


Hi there,

I have set up Freeradius+daloradius+MySQL+PHP+PPTP VPN server+Ocserv.

There is no problem using Anyconnect to connect to VPN when Ocserv
uses password authentication. I'm sure Freeradius works fine, because
it works for PPTP VPN authentication.

I have been trying to get PAM radius authentication work with Ocserv,
syslog shows the following error:

Dec 26 13:39:34 tikkaatvpn ocserv[577]: pam_radius_auth:
authentication succeeded
Dec 26 13:39:34 tikkaatvpn ocserv[577]: sec-mod: error in password
given in auth cont for user 'vpn1'

Then the establishment of VPN connection was terminated.
On AnyConnect iOS client, it shows "An unknown error has occurred
while waiting for user input. Please attempt to connect again".

Any ideas on how to solve this?
I'm sure the SECRET is coherent between Freeradius and pam_radius_auth.conf.

Thanks a lot!
Merry Christmax and Happy new year!

---------------------------syslog-------------------------------------

Dec 26 13:39:22 tikkaatvpn ocserv[577]: sec-mod: received request from
pid 1380 and uid 65534
Dec 26 13:39:22 tikkaatvpn ocserv[577]: sec-mod: cmd [size=261] sm: decrypt
Dec 26 13:39:30 tikkaatvpn ocserv[577]: sec-mod: received request from
pid 1380 and uid 65534
Dec 26 13:39:30 tikkaatvpn ocserv[577]: sec-mod: cmd [size=26] sm: auth init
Dec 26 13:39:30 tikkaatvpn ocserv[577]: sec-mod: auth init for user
'vpn1' (group: '') from 'CLIENT_IP'
Dec 26 13:39:30 tikkaatvpn ocserv[577]: pam_radius_auth: Got user name vpn1
Dec 26 13:39:30 tikkaatvpn ocserv[577]: PAM-auth conv: echo-off, sent: 0
Dec 26 13:39:34 tikkaatvpn ocserv[577]: sec-mod: received request from
pid 1380 and uid 65534
Dec 26 13:39:34 tikkaatvpn ocserv[577]: sec-mod: cmd [size=27] sm: auth cont
Dec 26 13:39:34 tikkaatvpn ocserv[577]: sec-mod: auth cont for user 'vpn1'
Dec 26 13:39:34 tikkaatvpn ocserv[577]: pam_radius_auth: Sending
RADIUS request code 1
Dec 26 13:39:34 tikkaatvpn ocserv[577]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned -1216373696.
Dec 26 13:39:34 tikkaatvpn ocserv[577]: pam_radius_auth: Got RADIUS
response code 2
Dec 26 13:39:34 tikkaatvpn ocserv[577]: pam_radius_auth:
authentication succeeded
Dec 26 13:39:34 tikkaatvpn ocserv[577]: sec-mod: error in password
given in auth cont for user 'vpn1'
Dec 26 13:39:34 tikkaatvpn ocserv[577]: sec-mod: error processing data
for 'sm: auth cont' command (-3)
Dec 26 13:39:34 tikkaatvpn ocserv[1380]: worker[vpn1]: CLIENT_IP:55761
worker-auth.c:1250: failed authentication for 'vpn1'
Dec 26 13:39:34 tikkaatvpn ocserv[575]: main: CLIENT_IP:55761
main-misc.c:425: command socket closed

----------------------------------------syslog-------------------------------------

---------------------------------------Freeradius
log----------------------------------------------------------------

rad_recv: Access-Request packet from host SERVER_IP port 1602, id=157, length=92
        User-Name = "vpn1"
        User-Password = "passI"
        NAS-IP-Address = SERVER_IP
        NAS-Identifier = "ocserv"
        NAS-Port = 577
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "CLIENT_IP"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "vpn1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql]   expand: %{User-Name} -> vpn1
[sql] sql_set_user escaped user --> 'vpn1'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = 'vpn1'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply           WHERE username = 'vpn1'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= 'vpn1'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "passi"
[pap] Using clear text password "passi"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
[sql]   expand: %{User-Name} -> vpn1
[sql] sql_set_user escaped user --> 'vpn1'
[sql]   expand: %{User-Password} -> passi
[sql]   expand: INSERT INTO radpostauth
(username, pass, reply, authdate)                           VALUES (
                        '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
            (username, pass, reply, authdate)
 VALUES (                           'vpn1',
'passi',                           'Access-Accept', '2014-12-26
14:17:16')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
                   (username, pass, reply, authdate)
        VALUES (                           'vpn1',
      'passi',                           'Access-Accept', '2014-12-26
14:17:16')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 157 to SERVER_IP port 1602
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
-----------------------------------------------Freeradius
log----------------------------------------

---------------------------------/etc/ocserv/ocserv.conf-------------------------------------

# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
#auth = "certificate"
#auth = "plain[/etc/ocserv/ocpasswd]"
auth = "pam"

# The gid-min option is used by auto-select-group option, in order to
# select the minimum group ID.
#auth = "pam[gid-min=1000]"

# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname:encoded-password"
# One entry must be listed per line, and 'ocpasswd' can be used
# to generate password entries.
#auth = "plain[/etc/ocserv/ocpasswd]"

# Whether to enable seccomp worker isolation. That restricts the number of
# system calls allowed to a worker process, in order to reduce damage from a
# bug in the worker process. It is available on Linux systems at a
performance cost.
#use-seccomp = true

# Whether to enable the authentication method's session control (i.e., PAM).
# That requires more resources on the server, and makes cookies one-time-use;
# thus don't enable unless you need it.
#session-control = true

# A banner to be displayed on clients
#banner = "Welcome"

# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 16

# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100

# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 4

# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
#listen-host = [IP|HOSTNAME]

# TCP and UDP port number
tcp-port = 443
udp-port = 443

# Accept connections using a socket file. The connections are
# forwarded without SSL/TLS.
listen-clear-file = /var/run/ocserv-conn.socket

# Keepalive in seconds
keepalive = 32400

# Dead peer detection in seconds.
dpd = 90

# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
#mobile-dpd = 1800

# MTU discovery (DPD must be enabled)
try-mtu-discovery = true

# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ssl/2_tikkaatvpn.crt
server-key = /etc/ssl/3_tikkaatvpn.key

#server-cert = /etc/ssl/certs/server-cert.pem
#server-key = /etc/ssl/private/server-key.pem

# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem

# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der

# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt

# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem

# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1

# The object identifier that will be used to read the user group in the
# client  certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are:
#  OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11

# The revocation list of the certificates issued by the 'ca-cert' above.
#crl = /path/to/crl.pem

# GnuTLS priority string
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"

# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities =
"NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"

# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40

# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
#idle-timeout = 1200

# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400

# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2

# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. That cookie will be invalided if not
# used within this timeout value. On a user disconnection, that
# cookie will also be active for this time amount prior to be
# invalid. That should allow a reasonable amount of time for roaming
# between different networks.
cookie-timeout = 300

# Whether roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be re-used
# from a different IP.
deny-roaming = false

# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable.
rekey-time = 172800

# ReKey method
# Valid options: ssl, new-tunnel
#  ssl: Will perform an efficient rehandshake on the channel allowing
#       a seamless connection during rekey.
#  new-tunnel: Will instruct the client to discard and re-establish the channel.
#       Use this option only if the connecting clients have issues with the ssl
#       option.
rekey-method = ssl

# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
#connect-script = /scripts/ocserv-script
#disconnect-script = /scripts/ocserv-script

# UTMP
use-utmp = true

# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
use-occtl = true

# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /var/run/occtl.socket


# PID file. It can be overriden in the command line.
pid-file = /var/run/ocserv.pid

# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot

# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket

# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon

# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3

# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"

#
# Network settings
#

# The name of the tun device
device = vpns

# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true

# The default domain to be advertised
default-domain = example.com

# The pool of addresses that leases will be given from.
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0

# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
dns = 8.8.8.8
dns = 8.8.4.4

# The NBNS server (if any)
#nbns = 192.168.1.3

# The IPv6 subnet that leases will be given from.
#ipv6-network = fc00::
#ipv6-prefix = 16

# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com

# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false

# Unset to assign the default MTU of the device
# mtu =

# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000

# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10

# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server.
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#route = fef4:db8:1000:1001::/64

# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
#  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
#  net-priority and cgroup.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below).

#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/

# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.

#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf

# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
#select-group = group1
#select-group = group2[My group 2]
#select-group = tost[The tost group]

# The name of the group that if selected it would allow to use
# the assigned by default group.
#default-select-group = DEFAULT

# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list. That
# option is only functional on plain authentication.
#auto-select-group = true

# The system command to use to setup a route. %{R} will be replaced with the
# route/mask and %{D} with the (tun) device.
#
# The following example is from linux systems. %{R} should be something
# like 192.168.2.0/24

#route-add-cmd = "ip route add %{R} dev %{D}"
#route-del-cmd = "ip route delete %{R} dev %{D}"

# This option allows to forward a proxy. The special strings '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/%{G}/hello

#
# The following options are for (experimental) AnyConnect client
# compatibility.

# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# It is not used by the openconnect client.
user-profile = /etc/ocserv/profile.xml

# Binary files that may be downloaded by the CISCO client. Must
# be within any chroot environment.
#binary-files = /path/to/binaries

# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be
# set for them.
cisco-client-compat = true

#Advanced options

# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment.
#custom-header = "X-My-Header: hi there"

---------------------------------/etc/ocserv/ocserv.conf-------------------------------------

---------------------------------/etc/pam_radius_auth.conf-------------------------------------

# server[:port] shared_secret      timeout (s)
localhost       mysecret      10

---------------------------------/etc/pam_radius_auth.conf-------------------------------------



More information about the openconnect-devel mailing list