I've been working on deploying a remote-access VPN system with this plugin, OpenVPN and strongSwan. My backend authentication is Windows Network Policy Server (NPS- Microsoft's RADIUS server) running on a separate virtual Server 2016 node accessible via an OpenVPN site-to-site VPN.
Since the strongSwan server is running on the same node as OpenVPN, I reused the NPS settings for this plugin. However, even with correct passwords and secrets, the OpenVPN RADIUS plugin refused to authenticate against the NPS server. After reviewing the Windows security audit log, I found out that this plugin was attempting to authenticate against the NPS server using PAP instead of an encrypted method. Enabling the PAP/SPAP authentication method in NPS (which triggers a warning from Windows) allowed authentication to complete successfully.
Granted, my Windows Server VM is on the same ESXi node as my firewall (where the site-to-site terminates), so I could probably lock security down pretty hard with that plus other NPS settings, or even make a nested VPN directly to my Windows Server, but I don't like that unencrypted traffic is present at all.
Would it be possible to add some or all of the encryption methods available for Windows NPS? I can provide the list my server shows if needed.
Here are my settings for the RADIUS plugin:
NAS-Identifier=poseidon_openvpn
Service-Type=5 # might need to be 2
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=x.x.x.254
OpenVPNConfig=/etc/openvpn/remoteaccess.conf
overwriteccfiles=false
useauthcontrolfile=false
subnet=255.255.255.128
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=radius.win.***.***
# How many times should the plugin send the if there is no response?
retry=3
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=*******
}
The relevant security audit log entry:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: ***\***
Account Name: ***
Account Domain: ***
Fully Qualified Account Name: win.***.***/AllUsers/***
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: x.x.x.x
NAS:
NAS IPv4 Address: x.x.x.254
NAS IPv6 Address: -
NAS Identifier: poseidon_openvpn
NAS Port-Type: Virtual
NAS Port: 2
RADIUS Client:
Client Friendly Name: srv-poseidon
Client IP Address: x.x.x.254
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: *** vpn
Authentication Provider: Windows
Authentication Server: srv-arwen.win.***.***
Authentication Type: PAP
EAP Type: -
Account Session Identifier: ******
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
I've been working on deploying a remote-access VPN system with this plugin, OpenVPN and strongSwan. My backend authentication is Windows Network Policy Server (NPS- Microsoft's RADIUS server) running on a separate virtual Server 2016 node accessible via an OpenVPN site-to-site VPN.
Since the strongSwan server is running on the same node as OpenVPN, I reused the NPS settings for this plugin. However, even with correct passwords and secrets, the OpenVPN RADIUS plugin refused to authenticate against the NPS server. After reviewing the Windows security audit log, I found out that this plugin was attempting to authenticate against the NPS server using PAP instead of an encrypted method. Enabling the PAP/SPAP authentication method in NPS (which triggers a warning from Windows) allowed authentication to complete successfully.
Granted, my Windows Server VM is on the same ESXi node as my firewall (where the site-to-site terminates), so I could probably lock security down pretty hard with that plus other NPS settings, or even make a nested VPN directly to my Windows Server, but I don't like that unencrypted traffic is present at all.
Would it be possible to add some or all of the encryption methods available for Windows NPS? I can provide the list my server shows if needed.
Here are my settings for the RADIUS plugin:
The relevant security audit log entry: