Openconnect VPN with radius authentication doesn't work?

hook.ua · July 30, 2024, 11:01am

Hi there
Recently try to replace existing L2TP/IPSEC VPN by openconnect vpn.
Radius forking fine in L2TP but not with openconnect.

Openconnect with local authentication mode working but switch to raidus with working parameters from L2TP not.

Radius request even not reached server.

openconnect VPN GUI client log as below

2024-07-30 12:47:00 |  9d8 | Server 'server' requested Basic authentication which is disabled by default
2024-07-30 12:47:00 |  9d8 | Authentication error; cannot obtain cookie

VyOS 1.5-rolling-202407060019
opencoonect client from there OpenConnect VPN graphical client (openconnect-vpn.net)

VYOS configuration is

set vpn openconnect authentication local-users username xxxxxx password xxxxxx
set vpn openconnect authentication mode radius
set vpn openconnect authentication radius server xxxxx.tld key xxxxxx
set vpn openconnect authentication radius source-address 'xxx.xxx.0.12'
set vpn openconnect http-security-headers
set vpn openconnect network-settings client-ip-settings subnet 'xxx.xxx.0.0/24'
set vpn openconnect network-settings name-server 'xxx.xxx.184.3'
set vpn openconnect network-settings name-server 'xxx.xxx.74.3'
set vpn openconnect ssl ca-certificate 'ca-silversrv'
set vpn openconnect ssl certificate 'srv-silversrv'

any idea or direction?
Thanks

There will be more questions about openconnect vpn - certbot certificate import, local network access and so on.

c-po · July 30, 2024, 11:59am

What does the log of your RADIUS server tell you?

hook.ua · July 30, 2024, 1:28pm

nothing, because authentication call to server didn’t even generated.
Tested with tcpdump, no requests.

hook.ua · August 5, 2024, 6:27am

Hi there

In order to arrange access to the RADIUS server in local network i need to push no-route rule.
There is no corresponding command in configuration, isn’t?

Any idea?

hook.ua · August 7, 2024, 8:01am

Finally i’ve do it.
Just added no-route option manually to ocserv.conf to reroute internal traffic to RADIUS server.

So, there are two questions to community/mantainers

Does you have any plan to extend the openconnect command set with no-route option?
what is the more or less workable solution to push required option during reconfiguration? SED in postconfigure script is ok?

thanks

fernando · August 7, 2024, 12:56pm

if possible to add this request, Can you share with us the full configuration add on ocsev.conf? or
add a feature request with this information to extend the function:

https://vyos.dev/

hook.ua · August 7, 2024, 2:15pm

there were nothing special in ocsev.conf

My RADIUS Server resides in 10.1.0.0/24 network.
openconnect client configured to 10.1.0.0/24 network.
What i simply need - split tunneling for 10.1.0.0
This possible by adding option into ocsev.conf

no-route=10.1.0.0/24

i’ve added few lines to posconfiguration script in VYOS

/config/scripts/vyos-postconfig-bootup.script

# Insert workaround for openconnect VPN ocserv configuration
# to allow RADIUS server authentication

echo '#' | sudo tee -a /run/ocserv/ocserv.conf
echo 'no-route=10.1.0.0/24' | sudo tee -a /run/ocserv/ocserv.conf
sudo systemctl restart ocserv

thus authentication requests went freely to server.

system · August 21, 2024, 2:16pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.