Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:04 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Fri Sep 21, 2012 10:18 pm 
Offline

Joined: Wed Aug 22, 2012 6:00 pm
Posts: 3
Hello,
I am trying to setup my YubiKeys to work with OpenVPN running on my pfSense Firewall , using the YubiRADIUS server to authenticate users against Active Directory.

And it works! Sort of… I have a test user that works perfectly. The problem is that I can’t seem to get any other users to work… well unless there name is test or test2 ect.

I currently have it so that the OTP is being added to the username since the virtual appliance manual mentioned this was able to get around the issue OpenVPN and some other VPN services have with user name length. But it seems this is also an issue with the username field

With user “testomgwhy”
Quote:
2012-09-21 15:04:51,@,mgwhyccccccb,YubiKey OTP validation failed
2012-09-21 15:04:51,@,mgwhyccccccb,VA configuration could not be read

The “VA configuration” error just started before it was just the OTP message

With user test
Quote:
2012-09-21 15:06:41,test@xxxx-xxxxx.com,ccccccbhejgc,Success



I have read that people have been able to get this to work by using Yubico-PAM in conjunction with freeradius to get the this situation to work. The problem is that the since I am using pfSense to host my OpenVPN server the complexity of this one off install is something that I don’t want to do / can’t do since no one else at my work could pull this off if I got hit by a bus tomorrow.

Is my only option to run a normal installation of OpenVPN + FreeRADIUS that uses Yubico-PAM and PAM_Radius?

Thanks for any help.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Sep 25, 2012 2:47 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Hello,

It seems that you have configured the "Append to OTP" with password in "Global Configuration" and you are sending request/radtest the OTP with username. If you want to send the OTP with username please change the settings "Append to OTP" with username in "Global Configuration"

Go to “Global Configuration ”>> “General” >> select “Append OTP to” with “Username” and click on save.

Hope this helps! If you are still facing the same issue please send us the detailed screenshot of the error and logs to "support@yubico.com".

Thanks and best regards,
Samir.


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 28, 2012 6:24 pm 
Offline

Joined: Wed Aug 22, 2012 6:00 pm
Posts: 3
I do have "Append OTP to Username" set in the golbal configuration. And this works fine when i am using a small name like Test, but anything longer then 5 characters and the username starts to to show up in the "YubiKey Public ID" field.

I guess will try and get as much information as i can and and send it to the support email.

Thanks


Top
 Profile  
Reply with quote  
PostPosted: Mon Oct 01, 2012 5:45 pm 
Offline

Joined: Mon Oct 01, 2012 5:30 pm
Posts: 1
We are using this combination, but appending the OTP to passwords.

There was a problem with the max password length being too short in the OpenVPN GUI client (see http://sourceforge.net/tracker/index.ph ... id=1327094) - I wonder whether there is a similar restriction on the username in the client?

A built of OpenVPN GUI with that fix worked fine when we tried it, or there are other OpenVPN clients about (eg Viscosity, which is not free, but works well for us).

Steve.


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 05, 2012 7:52 pm 
Offline

Joined: Wed Aug 22, 2012 6:00 pm
Posts: 3
MrSteve wrote:
We are using this combination, but appending the OTP to passwords.

There was a problem with the max password length being too short in the OpenVPN GUI client (see http://sourceforge.net/tracker/index.ph ... id=1327094) - I wonder whether there is a similar restriction on the username in the client?

A built of OpenVPN GUI with that fix worked fine when we tried it, or there are other OpenVPN clients about (eg Viscosity, which is not free, but works well for us).

Steve.

!!!
IT WORKS!

After applying the patch from oct 1st to fix FreeRADIUS...
And pfSense's "OpenVPN Client Export Utility" has been upgraded to 0.25 and includes the OpenVPN 2.3 Beta Client.

It all works, and i have the OTP being appended to the password.

Thanks MrSteve for the heads up on this being a vpn client problem.


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 08, 2013 10:38 am 
Offline

Joined: Tue Feb 12, 2013 11:30 pm
Posts: 8
Since this is the only thread that comes up when searching for this error in google.

If you have a domain in YubiRadius, domain.com and a user logs in with username@another.com then you will get

Code:
username@another.com,,VA configuration could not be read


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 08, 2013 3:26 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Hello,

If you have a domain in YubiRadius as abc.com then a user from that domain have to log in with username@abc.com then only it will be authenticated.

If you are still facing the same issue please send us the detailed screenshot of the error and logs to "support@yubico.com".

Thanks and best regards,
Samir.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group