Yubico Forum
https://forum.yubico.com/

pfSense + OpenVPN + YubiRADIUS = Sadface
https://forum.yubico.com/viewtopic.php?f=29&t=863
Page 1 of 1

Author:  Appletini [ Fri Sep 21, 2012 10:18 pm ]
Post subject:  pfSense + OpenVPN + YubiRADIUS = Sadface

Hello,
I am trying to setup my YubiKeys to work with OpenVPN running on my pfSense Firewall , using the YubiRADIUS server to authenticate users against Active Directory.

And it works! Sort of… I have a test user that works perfectly. The problem is that I can’t seem to get any other users to work… well unless there name is test or test2 ect.

I currently have it so that the OTP is being added to the username since the virtual appliance manual mentioned this was able to get around the issue OpenVPN and some other VPN services have with user name length. But it seems this is also an issue with the username field

With user “testomgwhy”
Quote:
2012-09-21 15:04:51,@,mgwhyccccccb,YubiKey OTP validation failed
2012-09-21 15:04:51,@,mgwhyccccccb,VA configuration could not be read

The “VA configuration” error just started before it was just the OTP message

With user test
Quote:
2012-09-21 15:06:41,test@xxxx-xxxxx.com,ccccccbhejgc,Success



I have read that people have been able to get this to work by using Yubico-PAM in conjunction with freeradius to get the this situation to work. The problem is that the since I am using pfSense to host my OpenVPN server the complexity of this one off install is something that I don’t want to do / can’t do since no one else at my work could pull this off if I got hit by a bus tomorrow.

Is my only option to run a normal installation of OpenVPN + FreeRADIUS that uses Yubico-PAM and PAM_Radius?

Thanks for any help.

Author:  samir [ Tue Sep 25, 2012 2:47 pm ]
Post subject:  Re: pfSense + OpenVPN + YubiRADIUS = Sadface

Hello,

It seems that you have configured the "Append to OTP" with password in "Global Configuration" and you are sending request/radtest the OTP with username. If you want to send the OTP with username please change the settings "Append to OTP" with username in "Global Configuration"

Go to “Global Configuration ”>> “General” >> select “Append OTP to” with “Username” and click on save.

Hope this helps! If you are still facing the same issue please send us the detailed screenshot of the error and logs to "support@yubico.com".

Thanks and best regards,
Samir.

Author:  Appletini [ Fri Sep 28, 2012 6:24 pm ]
Post subject:  Re: pfSense + OpenVPN + YubiRADIUS = Sadface

I do have "Append OTP to Username" set in the golbal configuration. And this works fine when i am using a small name like Test, but anything longer then 5 characters and the username starts to to show up in the "YubiKey Public ID" field.

I guess will try and get as much information as i can and and send it to the support email.

Thanks

Author:  MrSteve [ Mon Oct 01, 2012 5:45 pm ]
Post subject:  Re: pfSense + OpenVPN + YubiRADIUS = Sadface

We are using this combination, but appending the OTP to passwords.

There was a problem with the max password length being too short in the OpenVPN GUI client (see http://sourceforge.net/tracker/index.ph ... id=1327094) - I wonder whether there is a similar restriction on the username in the client?

A built of OpenVPN GUI with that fix worked fine when we tried it, or there are other OpenVPN clients about (eg Viscosity, which is not free, but works well for us).

Steve.

Author:  Appletini [ Fri Oct 05, 2012 7:52 pm ]
Post subject:  Re: pfSense + OpenVPN + YubiRADIUS = Sadface

MrSteve wrote:
We are using this combination, but appending the OTP to passwords.

There was a problem with the max password length being too short in the OpenVPN GUI client (see http://sourceforge.net/tracker/index.ph ... id=1327094) - I wonder whether there is a similar restriction on the username in the client?

A built of OpenVPN GUI with that fix worked fine when we tried it, or there are other OpenVPN clients about (eg Viscosity, which is not free, but works well for us).

Steve.

!!!
IT WORKS!

After applying the patch from oct 1st to fix FreeRADIUS...
And pfSense's "OpenVPN Client Export Utility" has been upgraded to 0.25 and includes the OpenVPN 2.3 Beta Client.

It all works, and i have the OTP being appended to the password.

Thanks MrSteve for the heads up on this being a vpn client problem.

Author:  Elvar [ Fri Mar 08, 2013 10:38 am ]
Post subject:  Re: pfSense + OpenVPN + YubiRADIUS = Sadface

Since this is the only thread that comes up when searching for this error in google.

If you have a domain in YubiRadius, domain.com and a user logs in with username@another.com then you will get

Code:
username@another.com,,VA configuration could not be read

Author:  samir [ Fri Mar 08, 2013 3:26 pm ]
Post subject:  Re: pfSense + OpenVPN + YubiRADIUS = Sadface

Hello,

If you have a domain in YubiRadius as abc.com then a user from that domain have to log in with username@abc.com then only it will be authenticated.

If you are still facing the same issue please send us the detailed screenshot of the error and logs to "support@yubico.com".

Thanks and best regards,
Samir.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/