[原创] openvpn2.0.9实现radius认证

http://www.chinaunix.net 作者:luna2000 发表于：2008-07-31 11:18:38

经过实践，实现了openvpn2.0.9版本使用radius认证的配置功能。以下简要说明，与大家分享。
我的环境是server端是linux9.0，Client端是winxp。
基本的配置就不复述了，使用证书认证的文章很多，其中网友elm就有不少好的配置手册。
网络上关于username/password认证的文章也不少，但不是需要用到mysql数据库就是要用到freeradius认证库，我就想简单快速的实现把用户名密码提交到第三方radius服务器认证就可以了。第三方radius服务器很多比如windows ActiveDirectory或WinRadius 2.01，我这里用WinRadius2.01作为radius服务器。
1.radiusplugin_v2.0.tar.gz: 可以编译得到radiusplugin.so
到http://www.nongnu.org/radiusplugin/下载
2.libgcrypt支持库: 可以编译得到/usr/lib/libgcrypt.so.11
到ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.gz下载
3.libgpg-error支持库: 可以编译得到/usr/local/lib/libgpg-error.so.0
到ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.5.tar.gz下载
简单的编译以上3个支持库，configure;make;make install。
我们要用到radiusplugin.so，其他是radiusplugin.so的支持库。
好了如果能够得到radiusplugin.so，已经成功了80%，其他的就是配置了。
把radiusplugin.so拷贝到/etc/openvpn下，并配置其配置文件radiusplugin.conf
内容如下：
# The NAS identifier which is sent to the RADIUS server
NAS-Identifier=OpenVpn

# The service type which is sent to the RADIUS server
Service-Type=5

# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1

# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5

# 这是运行openvpn服务器的ip，作为radius客户端
NAS-IP-Address=192.168.2.8

#这里指明openvpn的配置位置
OpenVPNConfig=/etc/openvpn/cert_conf/server.conf

# 这里定义 radius server 参数可以超过1个作为备份
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# 这是我radius 服务器的ip，也就是运行winradius，并添加了用户。
name=192.168.2.2
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.共享密钥，在winradius里配置，设置-系统-NAS密钥
sharedsecret=winradius
}

以下配置openvpn服务器，server.conf
这个配置跟证书配置只需新增以下3行不同。
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radius.conf
client-cert-not-required
username-as-common-name
客户端配置：在winxp下
去掉客户端证书，并添加提示用户密码的参数就可以了。
ca ca.crt
#cert client.crt
#key client.key
auth-user-pass

启动服务器
openvpn --config server.conf
如果出错查看日志文件如openvpn.log一般可以解决.
启动客户端，提示
Sat Aug 25 17:52:38 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2
006
Enter Auth Username:test
Enter Auth Password:
...
Sat Aug 25 17:55:22 2007 Route addition via IPAPI succeeded
Sat Aug 25 17:55:22 2007 Initialization Sequence Completed
认证通过，vpn隧道建立成功
查看winradius：
用户(test)认证通过
用户（test）呼叫（）开始
查看linux server端日志
RADIUS-PLUGIN: Configfile name: /etc/openvpn/radiusplugin.conf .
Sun Apr  1 13:31:09 2007 PLUGIN_INIT: POST /etc/openvpn/radiusplugin.so '/etc/openvpn/radiusplugin.conf' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
...
Sun Apr  1 13:31:56 2007 192.168.2.2:3214 PLUGIN_CALL: POST /etc/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sun Apr  1 13:31:56 2007 192.168.2.2:3214 TLS: Username/Password authentication succeeded for username 'test' [CN SET]
至此，radius认证成功。

[END]

wenzk 回复于：2007-08-26 23:40:57

支持原创

mengbo 回复于：2007-08-27 08:15:35

支持原来这里面高手这么多啊！不过能出来个HTUN的教程就好了！

plwolf2002 回复于：2007-09-19 05:33:50

厉害厉害啊，真是高手如云啊，以后可要常来光顾一下！大力支持原创！:em02:

daul75 回复于：2007-09-26 17:55:21

强！能不能再把Winradius的配置方法也提供出来呢？

onsale 回复于：2007-10-23 16:21:54

winradius很简单，基本不需配置，其实也没几个地方能配。

onsale 回复于：2007-10-23 16:31:17

我好不容易把radiusplugin.so弄出来，openvpn也可以运行了。不过现在遇到这个错误，不停跳出输密码窗口，client的日志是：
Tue Oct 23 16:26:09 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Tue Oct 23 16:26:13 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Oct 23 16:26:13 2007 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Oct 23 16:26:13 2007 Control Channel Authentication: using 'keytest\ta.key' as a OpenVPN static key file
Tue Oct 23 16:26:13 2007 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 23 16:26:13 2007 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 23 16:26:13 2007 LZO compression initialized
Tue Oct 23 16:26:13 2007 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Oct 23 16:26:13 2007 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Oct 23 16:26:13 2007 Local Options hash (VER=V4): '272f1b58'
Tue Oct 23 16:26:13 2007 Expected Remote Options hash (VER=V4): 'a2e63101'
Tue Oct 23 16:26:13 2007 UDPv4 link local: [undef]
Tue Oct 23 16:26:13 2007 UDPv4 link remote: 192.168.0.40:1944
Tue Oct 23 16:26:13 2007 TLS: Initial packet from 192.168.0.40:1944, sid=d76a2c13 65b9615d
Tue Oct 23 16:26:13 2007 VERIFY OK: depth=1, /C=aa/ST=aa/L=aa/O=aa/OU=aa/CN=aa/emailAddress=test@aa.com
Tue Oct 23 16:26:13 2007 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Oct 23 16:26:13 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 23 16:26:13 2007 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Oct 23 16:26:13 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 23 16:26:13 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Oct 23 16:26:13 2007 [aa] Peer Connection Initiated with 192.168.0.40:1944
Tue Oct 23 16:26:15 2007 SENT CONTROL [aa]: 'PUSH_REQUEST' (status=1)
Tue Oct 23 16:26:15 2007 AUTH: Received AUTH_FAILED control message
Tue Oct 23 16:26:15 2007 TCP/UDP: Closing socket
Tue Oct 23 16:26:15 2007 SIGTERM[soft,auth-failure] received, process exiting
Tue Oct 23 16:26:15 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
××××××××××××××××××××××××××××××××××××
server端openvpn日志是：
共认证两次
Wed Oct 24 14:11:08 2007 MULTI: multi_create_instance called
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Re-using SSL/TLS context
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 LZO compression initialized
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Local Options hash (VER=V4): 'a2e63101'
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Expected Remote Options hash (VER=V4): '272f1b58'
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 TLS: Initial packet from 192.168.0.100:3526, sid=1d471dea a3479a82
RADIUS-PLUGIN: No attributes Acct Interim Interval or bad length.
Error: Receiving data from internal socket failed!
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 PLUGIN_CALL: POST /etc/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/radiusplugin.so
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 [] Peer Connection Initiated with 192.168.0.100:3526
Wed Oct 24 14:11:09 2007 192.168.0.100:3526 PUSH: Received control message: 'PUSH_REQUEST'
Wed Oct 24 14:11:09 2007 192.168.0.100:3526 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Wed Oct 24 14:11:09 2007 192.168.0.100:3526 Delayed exit in 5 seconds
Wed Oct 24 14:11:14 2007 192.168.0.100:3526 SIGTERM[soft,delayed-exit] received, client-instance exiting
Wed Oct 24 14:11:15 2007 MULTI: multi_create_instance called
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Re-using SSL/TLS context
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 LZO compression initialized
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Local Options hash (VER=V4): 'a2e63101'
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Expected Remote Options hash (VER=V4): '272f1b58'
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 TLS: Initial packet from 192.168.0.100:3527, sid=c7cba271 dbb979e3
Error: The User is already authenticated. He could not insert in user map. The client connect will fail. In case of rekeying this note is ok.
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 PLUGIN_CALL: POST /etc/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/radiusplugin.so
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 [] Peer Connection Initiated with 192.168.0.100:3527
Wed Oct 24 14:11:16 2007 192.168.0.100:3527 PUSH: Received control message: 'PUSH_REQUEST'
Wed Oct 24 14:11:16 2007 192.168.0.100:3527 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Wed Oct 24 14:11:16 2007 192.168.0.100:3527 Delayed exit in 5 seconds
Wed Oct 24 14:11:21 2007 192.168.0.100:3527 SIGTERM[soft,delayed-exit] received, client-instance exiting

***************
观察winradius日志，第一次认证时，日志显示openvpn和winradius有交互，但openvpn客户端仍报错；
而第二次认证时windius没有任何反应，说明openvpn在第二次没有和winradius交互任何数据。

这是怎么回事啊？

[ 本帖最后由 onsale 于 2007-10-24 14:20 编辑 ]

jiangdaoyou 回复于：2007-10-27 11:02:59

用freeradius做更好。运行在linux平台，支持数据库。稳定安全。

onsale 回复于：2007-10-29 10:56:27

用第三方radius，是为了在radius服务器上方便使用其他插件，达到短信通知等目的。再说，偶不懂数据库，怕被mysql玩残喽。
  偶打开openvpn的debug，看到了下面的日志：
RADIUS-PLUGIN: FOREGROUND: OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY is called.
RADIUS-PLUGIN: FOREGROUND: New user: username: test, password: *****, newuser ip: 192.168.0.100, new
user port: 2784 .
RADIUS-PLUGIN: BACKGROUND  AUTH: New user auth: username: test, password: *****, calling station: 19
2.168.0.100, commonname: test.
RADIUS-PLUGIN: radius_server().
RADIUS-PLUGIN: Build password packet:  password: *****, sharedSecret: *****.
RADIUS-PLUGIN: Send packet to 192.168.0.100.
RADIUS-PLUGIN: Get ACCESS_ACCEPT-Packet.
RADIUS-PLUGIN: parse_response_packet().
RADIUS-PLUGIN: BACKGROUND AUTH: routes: .
RADIUS-PLUGIN: BACKGROUND AUTH: framed ip: .
RADIUS-PLUGIN: No attributes Acct Interim Interval or bad length.
RADIUS-PLUGIN: BACKGROUND AUTH: Acct Interim Interval: 0.
RADIUS-PLUGIN: BACKGROUND AUTH: Try to open ccd file.
RADIUS-PLUGIN: BACKGROUND AUTH: Opened ccd file.
RADIUS-PLUGIN: FOREGROUND: Authentication succeeded!
RADIUS-PLUGIN: FOREGROUND: Received routes for user: .
RADIUS-PLUGIN: BACKGROUND  AUTH: Auth succeeded in radius_server().
Error: Receiving data from internal socket failed!

radius服务器认证都通过了，最后似乎还是这个radiusplugin插件的问题啊，不知道这个socket怎么处理

hotelcn2007 回复于：2007-10-30 12:41:55

用freeradius做更好。运行在linux平台，支持数据库。稳定安全。

onsale 回复于：2007-11-06 08:46:04

openbsd+ openvpn+freeradius+freetds+odbc+mssql,装起来太累了！还没成功:em20:

haihai321 回复于：2007-11-06 16:10:03

这个就深了，只看懂一点，估计我连实践都困难，真是佩服

jiangdaoyou 回复于：2007-11-06 17:38:15

openvpn+radius+客户端程序，安装起来也不是很麻烦，需要的可联系我

zhangxianxiang 回复于：2008-04-26 18:12:53

我好不容易把radiusplugin.so弄出来，openvpn也可以运行了。不过现在遇到这个错误，不停跳出输密码窗口，client的日志是：
Tue Oct 23 16:26:09 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Tue Oct 23 16:26:13 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Oct 23 16:26:13 2007 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Oct 23 16:26:13 2007 Control Channel Authentication: using 'keytest\ta.key' as a OpenVPN static key file
Tue Oct 23 16:26:13 2007 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 23 16:26:13 2007 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 23 16:26:13 2007 LZO compression initialized
Tue Oct 23 16:26:13 2007 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Oct 23 16:26:13 2007 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Oct 23 16:26:13 2007 Local Options hash (VER=V4): '272f1b58'
Tue Oct 23 16:26:13 2007 Expected Remote Options hash (VER=V4): 'a2e63101'
Tue Oct 23 16:26:13 2007 UDPv4 link local: [undef]
Tue Oct 23 16:26:13 2007 UDPv4 link remote: 192.168.0.40:1944
Tue Oct 23 16:26:13 2007 TLS: Initial packet from 192.168.0.40:1944, sid=d76a2c13 65b9615d
Tue Oct 23 16:26:13 2007 VERIFY OK: depth=1, /C=aa/ST=aa/L=aa/O=aa/OU=aa/CN=aa/emailAddress=test@aa.com
Tue Oct 23 16:26:13 2007 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Oct 23 16:26:13 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 23 16:26:13 2007 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Oct 23 16:26:13 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 23 16:26:13 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Oct 23 16:26:13 2007 [aa] Peer Connection Initiated with 192.168.0.40:1944
Tue Oct 23 16:26:15 2007 SENT CONTROL [aa]: 'PUSH_REQUEST' (status=1)
Tue Oct 23 16:26:15 2007 AUTH: Received AUTH_FAILED control message
Tue Oct 23 16:26:15 2007 TCP/UDP: Closing socket
Tue Oct 23 16:26:15 2007 SIGTERM[soft,auth-failure] received, process exiting
Tue Oct 23 16:26:15 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
××××××××××××××××××××××××××××××××××××
server端openvpn日志是：
共认证两次
Wed Oct 24 14:11:08 2007 MULTI: multi_create_instance called
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Re-using SSL/TLS context
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 LZO compression initialized
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Local Options hash (VER=V4): 'a2e63101'
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Expected Remote Options hash (VER=V4): '272f1b58'
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 TLS: Initial packet from 192.168.0.100:3526, sid=1d471dea a3479a82
RADIUS-PLUGIN: No attributes Acct Interim Interval or bad length.
Error: Receiving data from internal socket failed!
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 PLUGIN_CALL: POST /etc/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/radiusplugin.so
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Wed Oct 24 14:11:08 2007 192.168.0.100:3526 [] Peer Connection Initiated with 192.168.0.100:3526
Wed Oct 24 14:11:09 2007 192.168.0.100:3526 PUSH: Received control message: 'PUSH_REQUEST'
Wed Oct 24 14:11:09 2007 192.168.0.100:3526 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Wed Oct 24 14:11:09 2007 192.168.0.100:3526 Delayed exit in 5 seconds
Wed Oct 24 14:11:14 2007 192.168.0.100:3526 SIGTERM[soft,delayed-exit] received, client-instance exiting
Wed Oct 24 14:11:15 2007 MULTI: multi_create_instance called
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Re-using SSL/TLS context
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 LZO compression initialized
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Local Options hash (VER=V4): 'a2e63101'
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Expected Remote Options hash (VER=V4): '272f1b58'
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 TLS: Initial packet from 192.168.0.100:3527, sid=c7cba271 dbb979e3
Error: The User is already authenticated. He could not insert in user map. The client connect will fail. In case of rekeying this note is ok.
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 PLUGIN_CALL: POST /etc/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/radiusplugin.so
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Wed Oct 24 14:11:15 2007 192.168.0.100:3527 [] Peer Connection Initiated with 192.168.0.100:3527
Wed Oct 24 14:11:16 2007 192.168.0.100:3527 PUSH: Received control message: 'PUSH_REQUEST'
Wed Oct 24 14:11:16 2007 192.168.0.100:3527 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Wed Oct 24 14:11:16 2007 192.168.0.100:3527 Delayed exit in 5 seconds
Wed Oct 24 14:11:21 2007 192.168.0.100:3527 SIGTERM[soft,delayed-exit] received, client-instance exiting

***************
观察winradius日志，第一次认证时，日志显示openvpn和winradius有交互，但openvpn客户端仍报错；
而第二次认证时windius没有任何反应，说明openvpn在第二次没有和winradius交互任何数据。

这是怎么回事啊？

--------------------------------------------------------------------
这个问题解决方法：将mutil.c 中的plugin-client-connect,  plugin-client-disconnect 部分注释掉就可以解决了。
vi +:1409 multi.c

         delete_file (dc_file);
#if 0
          if (plugin_call (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, dc_file, NULL, mi->context.c2.es))
            {
              msg (M_WARN, "WARNING: client-connect plugin call failed");
              cc_succeeded = false;
            }
          else
            {
              multi_client_connect_post (m, mi, dc_file, option_permissions_mask, &option_types_found);
              ++cc_succeeded_count;
            }
#endif

沉沦之宇回复于：2008-04-28 14:55:02

高手，厉害，支持一下

onsale 回复于：2008-07-31 11:18:38

很久没来，也很久没继续搞OPENVPN+RADIUS了。缅怀一下，有空我会继续

原文链接：http://bbs.chinaunix.net/viewthread.php?tid=981672
转载请注明作者名及原文出处