Error: RADIUS-PLUGIN: FOREGROUND: common_name is not defined

[WW-build]

Hi, I'm having issues while trying to establish VPN connection using Radius module for OpenVPN. cat radius.cnf

NAS-Identifier=xxxx.domain.name Service-Type=5 Framed-Protocol=1 NAS-Port-Type=5 NAS-IP-Address=xxx.xxx.xxx.xxx OpenVPNConfig=/etc/openvpn/server.conf overwriteccfiles=false server { acctport=1813 authport=1812 name=xxx.xxx.xxx.xxx retry=1 wait=1 sharedsecret=xxxx }

cat server.conf

port xxxx proto tcp-server dev tun0 tun-mtu 1392 ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh2048.pem server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx daemon mode server tls-server client-to-client ifconfig-pool-persist /etc/openvpn/ip.sv client-config-dir /etc/openvpn/ccd sndbuf 393216 rcvbuf 393216 keepalive 10 120 max-clients 1000 user openvpn group openvpn persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log crl-verify /etc/openvpn/crl.pem verb 2 tun-mtu 1500 management xxx.xxx.xxx.xxx 5555 duplicate-cn verify-client-cert none username-as-common-name plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf

Can you please clarify what is exactly wrong with my configuration?

OS: Centos 7 x64

[de-conf]

Situation +1

[salmon5]

openvpn 2.4.x user this client-cert-not-required ,not verify-client-cert none 2.4.x bug?

[salmon5]

openvpn 2.4.x user this client-cert-not-required tested is good

[kpolucas]

Openvpn replace "client-cert-not-required" to "verify-client-cert" Also, verify-client-cert has parameters, So you need to change it in the Config.cpp for something like this

// trim leading whitespace
string::size_type  pos = param.find_first_not_of(delims);
if (pos != string::npos) param.erase(0,pos );
pos=param.find_first_of(delims);
if (pos != string::npos) param.erase(pos);
if (param == "verify-client-cert")
{
        this->deletechars(&line);
        if (line == "verify-client-certoptional" || line == "verify-client-certnone")
        {
                this->clientcertnotrequired=true;
        }
}

And recompile

[fablarosa]

Thanks @kpolucas I had the same problem on a fresh Ubuntu 18.04_LTS install with openvpn and openvpn-radius-plugin from the official Ubuntu repos as follows:

ii  openvpn                               2.4.4-2ubuntu1.3                                amd64        virtual private network daemon
ii  openvpn-auth-radius                   2.1-6build1                                     amd64        OpenVPN RADIUS authentication module

In my openvpn.conf I have the option verify-client-cert none because client-cert-not-required is deprecated. Applying the patch you suggested the issue was fixed.

[alex-dot]

Hit the same problem as @fablarosa today with Debian 10 with current packages:

ii  openvpn                         2.4.7-1                         amd64        virtual private network daemon
ii  openvpn-auth-radius             2.1-7                           amd64        OpenVPN RADIUS authentication module

An easy fix until the packages are updated is to have both openvpn directives verify-client-cert none and client-cert-not-required in the server.conf file.

Since client-cert-not-required is "just" deprecated, openvpn prints a warning message but still runs, this way the plugin is still able to catch the (old) directive.

[nielspeen]

In more recent versions of OpenVPN client-cert-not-required is no longer just deprecated. Using it will prevent OpenVPN from starting. The patch provided by @kpolucas works well for me.

[maugli13]

@kpolucas thanks for the provided solution, however, the plugin didn't work with a Windows-based radius server (NPS)

The IP address was coming with incorrect length and the NPS server was reporting a malformed message error for Accounting-Request.

Did anybody try this plugin with Windows NPS?