Project

General

Profile

Actions

Bug #12381

closed

mOTP with RADIUS drops the VPN connection after 60 minutes

Added by Viktor Gurov over 2 years ago. Updated over 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

from https://forum.netgate.com/topic/165967/2fa-mfa-with-radius-drops-the-vpn-connection-after-60-minutes:

i am having problems with the vpn and mfa with RADIUS. Systematically every hour the connection drops (60min). There seems to be something that every 60min drops the connection or disconnects the VPN. I tried looking in the config files, but couldn't find anything. Anyone have any ideas? Thanks.

openvpn client output:

2021-09-15 12:06:03 Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
2021-09-15 12:06:03 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2021-09-15 12:06:03 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Enter Auth Username: otpuser1
Enter Auth Password: ******                  
2021-09-15 12:06:19 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.3.4:1195
2021-09-15 12:06:19 UDP link local (bound): [AF_INET][undef]:0
2021-09-15 12:06:19 UDP link remote: [AF_INET]192.168.3.4:1195
2021-09-15 12:06:19 [ipsecCERT] Peer Connection Initiated with [AF_INET]192.168.3.4:1195
2021-09-15 12:06:19 TUN/TAP device tun1 opened
2021-09-15 12:06:19 net_iface_mtu_set: mtu 1500 for tun1
2021-09-15 12:06:19 net_iface_up: set tun1 up
2021-09-15 12:06:19 net_addr_v4_add: 10.55.55.3/24 dev tun1
2021-09-15 12:06:19 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-09-15 12:06:19 Initialization Sequence Completed
2021-09-15 13:05:37 [ipsecCERT] Inactivity timeout (--ping-restart), restarting
2021-09-15 13:05:37 SIGUSR1[soft,ping-restart] received, process restarting
2021-09-15 13:05:42 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.3.4:1195
2021-09-15 13:05:42 UDP link local (bound): [AF_INET][undef]:0
2021-09-15 13:05:42 UDP link remote: [AF_INET]192.168.3.4:1195
2021-09-15 13:05:42 [ipsecCERT] Peer Connection Initiated with [AF_INET]192.168.3.4:1195
2021-09-15 13:05:48 AUTH: Received control message: AUTH_FAILED
2021-09-15 13:05:48 SIGTERM received, sending exit notification to peer
2021-09-15 13:05:49 net_addr_v4_del: 10.55.55.3 dev tun1
2021-09-15 13:05:49 SIGTERM[soft,exit-with-notification] received, process exiting

radiusd -X output:

(0) motp: Executing: /usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}:
(0) motp: EXPAND %{request:User-Name}
(0) motp:    --> otpuser1
(0) motp: EXPAND %{request:User-Password}
(0) motp:    --> 23ace5
(0) motp: EXPAND %{reply:MOTP-Init-Secret}
(0) motp:    --> 8abe2f27456f801a
(0) motp: EXPAND %{reply:MOTP-PIN}
(0) motp:    --> 1234
(0) motp: EXPAND %{reply:MOTP-Offset}
(0) motp:    --> 0
(0) motp: Program returned code (0) and output 'ACCEPT'
(0) motp: Program executed successfully
(0)     [motp] = ok
(0)   } # Auth-Type MOTP = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Login OK: [otpuser1] (from client localhost port 1195 cli 192.168.122.179:1195) 
(0) Sent Access-Accept Id 52 from 127.0.0.1:1812 to 127.0.0.1:10007 length 0
...
(2) motp: Executing: /usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}:
(2) motp: EXPAND %{request:User-Name}
(2) motp:    --> otpuser1
(2) motp: EXPAND %{request:User-Password}
(2) motp:    --> 23ace5
(2) motp: EXPAND %{reply:MOTP-Init-Secret}
(2) motp:    --> 8abe2f27456f801a
(2) motp: EXPAND %{reply:MOTP-PIN}
(2) motp:    --> 1234
(2) motp: EXPAND %{reply:MOTP-Offset}
(2) motp:    --> 0
(2) motp: ERROR: Program returned code (11) and output 'FAIL'
(2) motp: ERROR: Program returned invalid code (greater than max rcode) (11 > 9): FAIL
(2)     [motp] = fail
(2)   } # Auth-Type MOTP = fail
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2)   Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject:    --> otpuser1
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2)     [attr_filter.access_reject] = updated
(2)     [eap] = noop
(2)     policy remove_reply_message_if_eap {
(2)       if (&reply:EAP-Message && &reply:Reply-Message) {
(2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(2)       else {
(2)         [noop] = noop
(2)       } # else = noop
(2)     } # policy remove_reply_message_if_eap = noop
(2)   } # Post-Auth-Type REJECT = updated
(2) Login incorrect (Failed retrieving values required to evaluate condition): [otpuser1] (from client localhost port 1195 cli 192.168.122.179:1195) 
(2) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(2) Sending delayed response
(2) Sent Access-Reject Id 215 from 127.0.0.1:1812 to 127.0.0.1:54875 length 20

pfSense-pkg-freeradius3-0.15.7_32


Files

radiudX-motp-issue.txt (11.3 KB) radiudX-motp-issue.txt Viktor Gurov, 09/15/2021 09:46 AM
Actions #1

Updated by Jim Pingle over 2 years ago

I don't think that's FreeRADIUS, but OpenVPN. IIRC OpenVPN defaults to reconnecting every 60 minutes, but can be changed with reneg-sec 0 for example.

When the connection drops it tries to reconnect but fails because it can't possibly succeed again non-interactively, as the password it has will fail since the OTP code is outdated by then. So FreeRADIUS is doing everything correctly, it's OpenVPN itself that is leading to this.

Even some systems like Duo recommend using reneg-sec 0 with 2-factor auth due to the way OpenVPN behaves.

Actions #2

Updated by Kris Phillips over 2 years ago

  • Status changed from New to Rejected

Jim Pingle wrote in #note-1:

I don't think that's FreeRADIUS, but OpenVPN. IIRC OpenVPN defaults to reconnecting every 60 minutes, but can be changed with reneg-sec 0 for example.

When the connection drops it tries to reconnect but fails because it can't possibly succeed again non-interactively, as the password it has will fail since the OTP code is outdated by then. So FreeRADIUS is doing everything correctly, it's OpenVPN itself that is leading to this.

Even some systems like Duo recommend using reneg-sec 0 with 2-factor auth due to the way OpenVPN behaves.

Can confirm this is due to the OTP changing when it goes to reauth. Disabling renegotiation is the only solution here, although we could add an option to do this in the OpenVPN config GUI for the server.

Actions

Also available in: Atom PDF