Actions
Bug #12381
closedmOTP with RADIUS drops the VPN connection after 60 minutes
Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
Description
from https://forum.netgate.com/topic/165967/2fa-mfa-with-radius-drops-the-vpn-connection-after-60-minutes:
i am having problems with the vpn and mfa with RADIUS. Systematically every hour the connection drops (60min). There seems to be something that every 60min drops the connection or disconnects the VPN. I tried looking in the config files, but couldn't find anything. Anyone have any ideas? Thanks.
openvpn client output:
2021-09-15 12:06:03 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5). 2021-09-15 12:06:03 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021 2021-09-15 12:06:03 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10 Enter Auth Username: otpuser1 Enter Auth Password: ****** 2021-09-15 12:06:19 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.3.4:1195 2021-09-15 12:06:19 UDP link local (bound): [AF_INET][undef]:0 2021-09-15 12:06:19 UDP link remote: [AF_INET]192.168.3.4:1195 2021-09-15 12:06:19 [ipsecCERT] Peer Connection Initiated with [AF_INET]192.168.3.4:1195 2021-09-15 12:06:19 TUN/TAP device tun1 opened 2021-09-15 12:06:19 net_iface_mtu_set: mtu 1500 for tun1 2021-09-15 12:06:19 net_iface_up: set tun1 up 2021-09-15 12:06:19 net_addr_v4_add: 10.55.55.3/24 dev tun1 2021-09-15 12:06:19 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2021-09-15 12:06:19 Initialization Sequence Completed 2021-09-15 13:05:37 [ipsecCERT] Inactivity timeout (--ping-restart), restarting 2021-09-15 13:05:37 SIGUSR1[soft,ping-restart] received, process restarting 2021-09-15 13:05:42 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.3.4:1195 2021-09-15 13:05:42 UDP link local (bound): [AF_INET][undef]:0 2021-09-15 13:05:42 UDP link remote: [AF_INET]192.168.3.4:1195 2021-09-15 13:05:42 [ipsecCERT] Peer Connection Initiated with [AF_INET]192.168.3.4:1195 2021-09-15 13:05:48 AUTH: Received control message: AUTH_FAILED 2021-09-15 13:05:48 SIGTERM received, sending exit notification to peer 2021-09-15 13:05:49 net_addr_v4_del: 10.55.55.3 dev tun1 2021-09-15 13:05:49 SIGTERM[soft,exit-with-notification] received, process exiting
radiusd -X output:
(0) motp: Executing: /usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}: (0) motp: EXPAND %{request:User-Name} (0) motp: --> otpuser1 (0) motp: EXPAND %{request:User-Password} (0) motp: --> 23ace5 (0) motp: EXPAND %{reply:MOTP-Init-Secret} (0) motp: --> 8abe2f27456f801a (0) motp: EXPAND %{reply:MOTP-PIN} (0) motp: --> 1234 (0) motp: EXPAND %{reply:MOTP-Offset} (0) motp: --> 0 (0) motp: Program returned code (0) and output 'ACCEPT' (0) motp: Program executed successfully (0) [motp] = ok (0) } # Auth-Type MOTP = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated for RHS &session-state: (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Login OK: [otpuser1] (from client localhost port 1195 cli 192.168.122.179:1195) (0) Sent Access-Accept Id 52 from 127.0.0.1:1812 to 127.0.0.1:10007 length 0 ... (2) motp: Executing: /usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}: (2) motp: EXPAND %{request:User-Name} (2) motp: --> otpuser1 (2) motp: EXPAND %{request:User-Password} (2) motp: --> 23ace5 (2) motp: EXPAND %{reply:MOTP-Init-Secret} (2) motp: --> 8abe2f27456f801a (2) motp: EXPAND %{reply:MOTP-PIN} (2) motp: --> 1234 (2) motp: EXPAND %{reply:MOTP-Offset} (2) motp: --> 0 (2) motp: ERROR: Program returned code (11) and output 'FAIL' (2) motp: ERROR: Program returned invalid code (greater than max rcode) (11 > 9): FAIL (2) [motp] = fail (2) } # Auth-Type MOTP = fail (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> otpuser1 (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Login incorrect (Failed retrieving values required to evaluate condition): [otpuser1] (from client localhost port 1195 cli 192.168.122.179:1195) (2) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 215 from 127.0.0.1:1812 to 127.0.0.1:54875 length 20
pfSense-pkg-freeradius3-0.15.7_32
Files
Actions