openvpn-radiusplugin
openvpn-radiusplugin copied to clipboard
ValdikSS
Error: RADIUS-PLUGIN: FOREGROUND: common_name is not defined
Hi, I'm having issues while trying to establish VPN connection using Radius module for OpenVPN. cat radius.cnf
NAS-Identifier=xxxx.domain.name Service-Type=5 Framed-Protocol=1 NAS-Port-Type=5 NAS-IP-Address=xxx.xxx.xxx.xxx OpenVPNConfig=/etc/openvpn/server.conf overwriteccfiles=false server { acctport=1813 authport=1812 name=xxx.xxx.xxx.xxx retry=1 wait=1 sharedsecret=xxxx }
cat server.conf
port xxxx proto tcp-server dev tun0 tun-mtu 1392 ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh2048.pem server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx daemon mode server tls-server client-to-client ifconfig-pool-persist /etc/openvpn/ip.sv client-config-dir /etc/openvpn/ccd sndbuf 393216 rcvbuf 393216 keepalive 10 120 max-clients 1000 user openvpn group openvpn persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log crl-verify /etc/openvpn/crl.pem verb 2 tun-mtu 1500 management xxx.xxx.xxx.xxx 5555 duplicate-cn verify-client-cert none username-as-common-name plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf
Can you please clarify what is exactly wrong with my configuration?
OS: Centos 7 x64
openvpn 2.4.x user this client-cert-not-required ,not verify-client-cert none 2.4.x bug?
Openvpn replace "client-cert-not-required" to "verify-client-cert" Also, verify-client-cert has parameters, So you need to change it in the Config.cpp for something like this
// trim leading whitespace
string::size_type pos = param.find_first_not_of(delims);
if (pos != string::npos) param.erase(0,pos );
pos=param.find_first_of(delims);
if (pos != string::npos) param.erase(pos);
if (param == "verify-client-cert")
{
this->deletechars(&line);
if (line == "verify-client-certoptional" || line == "verify-client-certnone")
{
this->clientcertnotrequired=true;
}
}
And recompile
Thanks @kpolucas I had the same problem on a fresh Ubuntu 18.04_LTS install with openvpn and openvpn-radius-plugin from the official Ubuntu repos as follows:
ii openvpn 2.4.4-2ubuntu1.3 amd64 virtual private network daemon
ii openvpn-auth-radius 2.1-6build1 amd64 OpenVPN RADIUS authentication module
In my openvpn.conf I have the option verify-client-cert none because client-cert-not-required is deprecated.
Applying the patch you suggested the issue was fixed.
Hit the same problem as @fablarosa today with Debian 10 with current packages:
ii openvpn 2.4.7-1 amd64 virtual private network daemon
ii openvpn-auth-radius 2.1-7 amd64 OpenVPN RADIUS authentication module
An easy fix until the packages are updated is to have both openvpn directives verify-client-cert none and client-cert-not-required in the server.conf file.
Since client-cert-not-required is "just" deprecated, openvpn prints a warning message but still runs, this way the plugin is still able to catch the (old) directive.
In more recent versions of OpenVPN client-cert-not-required is no longer just deprecated. Using it will prevent OpenVPN from starting. The patch provided by @kpolucas works well for me.
@kpolucas thanks for the provided solution, however, the plugin didn't work with a Windows-based radius server (NPS)
The IP address was coming with incorrect length and the NPS server was reporting a malformed message error for Accounting-Request.
Did anybody try this plugin with Windows NPS?
