Bug #12381
closedmOTP with RADIUS drops the VPN connection after 60 minutes
0%
Description
from https://forum.netgate.com/topic/165967/2fa-mfa-with-radius-drops-the-vpn-connection-after-60-minutes:
i am having problems with the vpn and mfa with RADIUS. Systematically every hour the connection drops (60min). There seems to be something that every 60min drops the connection or disconnects the VPN. I tried looking in the config files, but couldn't find anything. Anyone have any ideas? Thanks.
openvpn client output:
2021-09-15 12:06:03 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5). 2021-09-15 12:06:03 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021 2021-09-15 12:06:03 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10 Enter Auth Username: otpuser1 Enter Auth Password: ****** 2021-09-15 12:06:19 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.3.4:1195 2021-09-15 12:06:19 UDP link local (bound): [AF_INET][undef]:0 2021-09-15 12:06:19 UDP link remote: [AF_INET]192.168.3.4:1195 2021-09-15 12:06:19 [ipsecCERT] Peer Connection Initiated with [AF_INET]192.168.3.4:1195 2021-09-15 12:06:19 TUN/TAP device tun1 opened 2021-09-15 12:06:19 net_iface_mtu_set: mtu 1500 for tun1 2021-09-15 12:06:19 net_iface_up: set tun1 up 2021-09-15 12:06:19 net_addr_v4_add: 10.55.55.3/24 dev tun1 2021-09-15 12:06:19 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2021-09-15 12:06:19 Initialization Sequence Completed 2021-09-15 13:05:37 [ipsecCERT] Inactivity timeout (--ping-restart), restarting 2021-09-15 13:05:37 SIGUSR1[soft,ping-restart] received, process restarting 2021-09-15 13:05:42 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.3.4:1195 2021-09-15 13:05:42 UDP link local (bound): [AF_INET][undef]:0 2021-09-15 13:05:42 UDP link remote: [AF_INET]192.168.3.4:1195 2021-09-15 13:05:42 [ipsecCERT] Peer Connection Initiated with [AF_INET]192.168.3.4:1195 2021-09-15 13:05:48 AUTH: Received control message: AUTH_FAILED 2021-09-15 13:05:48 SIGTERM received, sending exit notification to peer 2021-09-15 13:05:49 net_addr_v4_del: 10.55.55.3 dev tun1 2021-09-15 13:05:49 SIGTERM[soft,exit-with-notification] received, process exiting
radiusd -X output:
(0) motp: Executing: /usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}: (0) motp: EXPAND %{request:User-Name} (0) motp: --> otpuser1 (0) motp: EXPAND %{request:User-Password} (0) motp: --> 23ace5 (0) motp: EXPAND %{reply:MOTP-Init-Secret} (0) motp: --> 8abe2f27456f801a (0) motp: EXPAND %{reply:MOTP-PIN} (0) motp: --> 1234 (0) motp: EXPAND %{reply:MOTP-Offset} (0) motp: --> 0 (0) motp: Program returned code (0) and output 'ACCEPT' (0) motp: Program executed successfully (0) [motp] = ok (0) } # Auth-Type MOTP = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Login OK: [otpuser1] (from client localhost port 1195 cli 192.168.122.179:1195) (0) Sent Access-Accept Id 52 from 127.0.0.1:1812 to 127.0.0.1:10007 length 0 ... (2) motp: Executing: /usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}: (2) motp: EXPAND %{request:User-Name} (2) motp: --> otpuser1 (2) motp: EXPAND %{request:User-Password} (2) motp: --> 23ace5 (2) motp: EXPAND %{reply:MOTP-Init-Secret} (2) motp: --> 8abe2f27456f801a (2) motp: EXPAND %{reply:MOTP-PIN} (2) motp: --> 1234 (2) motp: EXPAND %{reply:MOTP-Offset} (2) motp: --> 0 (2) motp: ERROR: Program returned code (11) and output 'FAIL' (2) motp: ERROR: Program returned invalid code (greater than max rcode) (11 > 9): FAIL (2) [motp] = fail (2) } # Auth-Type MOTP = fail (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> otpuser1 (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Login incorrect (Failed retrieving values required to evaluate condition): [otpuser1] (from client localhost port 1195 cli 192.168.122.179:1195) (2) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 215 from 127.0.0.1:1812 to 127.0.0.1:54875 length 20
pfSense-pkg-freeradius3-0.15.7_32
Files
Updated by Jim Pingle over 2 years ago
I don't think that's FreeRADIUS, but OpenVPN. IIRC OpenVPN defaults to reconnecting every 60 minutes, but can be changed with reneg-sec 0
for example.
When the connection drops it tries to reconnect but fails because it can't possibly succeed again non-interactively, as the password it has will fail since the OTP code is outdated by then. So FreeRADIUS is doing everything correctly, it's OpenVPN itself that is leading to this.
Even some systems like Duo recommend using reneg-sec 0
with 2-factor auth due to the way OpenVPN behaves.
Updated by Kris Phillips over 2 years ago
- Status changed from New to Rejected
Jim Pingle wrote in #note-1:
I don't think that's FreeRADIUS, but OpenVPN. IIRC OpenVPN defaults to reconnecting every 60 minutes, but can be changed with
reneg-sec 0
for example.When the connection drops it tries to reconnect but fails because it can't possibly succeed again non-interactively, as the password it has will fail since the OTP code is outdated by then. So FreeRADIUS is doing everything correctly, it's OpenVPN itself that is leading to this.
Even some systems like Duo recommend using
reneg-sec 0
with 2-factor auth due to the way OpenVPN behaves.
Can confirm this is due to the OTP changing when it goes to reauth. Disabling renegotiation is the only solution here, although we could add an option to do this in the OpenVPN config GUI for the server.