Hi Nikos, pam_unix works for authentication. I suppose it could be an issue with the PAM module of RADIUS... Here's the log when I am trying to connect from Android client. Basically what it does is keep asking password (as if the password input is wrong). Nov 14 21:05:40 hostname ocserv[12711]: [main] initialized ocserv 0.2.1 Nov 14 21:05:40 hostname ocserv[12712]: sec-mod initialized (socket: /var/run/ocserv-socket.12711) Nov 14 21:05:47 hostname ocserv[12713]: [client.ip.addr]:61542 accepted connection Nov 14 21:05:48 hostname ocserv[12713]: GnuTLS error (at worker-vpn.c:546): A TLS fatal alert has been received.: Unknown certificate Nov 14 21:05:48 hostname ocserv[12711]: [client.ip.addr]:61542 command socket closed Nov 14 21:05:51 hostname ocserv[12714]: [client.ip.addr]:61768 accepted connection Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 TLS handshake completed Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: User-Agent: AnyConnect Android 3.0.09242 Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Host: server.ip.addr Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Accept: */* Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Accept-Encoding: identity Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-Transcend-Version: 1 Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-Transcend-Version: 1 Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09242 Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-Platform: android Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-PlatformVersion: 4.3.1 Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-DeviceType: MOTO MB526 Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-Device-UniqueID: 3204AC2774689BF3BF1E47338D943701D0A46DA2 Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-Aggregate-Auth: 1 Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Connection: close Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Content-Length: 318 Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Content-Type: application/x-www-form-urlencoded Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP POST / Nov 14 21:05:52 hostname ocserv[12714]: [client.ip.addr]:61768 POST body: '<?xml version="1.0" encoding="UTF-8"?>#012<config-auth client="vpn" type="init">#012<device-id platform-version="4.3.1" device-type="MOTO MB526" unique-id="3204AC2774689BF3BF1E47338D943701D0A46DA2">android</device-id>#012<version who="vpn">3.0.09242</version>#012<group-access>https://server.ip.addr</group-access>#012</config-auth>#012' Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: User-Agent: AnyConnect Android 3.0.09242 Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Host: server.ip.addr Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Accept: */* Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Accept-Encoding: identity Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-Transcend-Version: 1 Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-Transcend-Version: 1 Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09242 Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-Platform: android Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-PlatformVersion: 4.3.1 Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-DeviceType: MOTO MB526 Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-Device-UniqueID: 3204AC2774689BF3BF1E47338D943701D0A46DA2 Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-Aggregate-Auth: 1 Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Content-Length: 13 Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Content-Type: application/x-www-form-urlencoded Nov 14 21:05:55 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP POST /auth Nov 14 21:05:55 hostname ocserv[12711]: [client.ip.addr]:61768 auth init for user 'tony' from '[client.ip.addr]:61768' Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: User-Agent: AnyConnect Android 3.0.09242 Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Host: server.ip.addr Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Accept: */* Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Accept-Encoding: identity Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-Transcend-Version: 1 Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-Transcend-Version: 1 Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09242 Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-Platform: android Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-PlatformVersion: 4.3.1 Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-DeviceType: MOTO MB526 Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-Device-UniqueID: 3204AC2774689BF3BF1E47338D943701D0A46DA2 Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-Aggregate-Auth: 1 Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Content-Length: 22 Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Content-Type: application/x-www-form-urlencoded Nov 14 21:06:05 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP POST /auth Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: User-Agent: AnyConnect Android 3.0.09242 Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Host: server.ip.addr Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Accept: */* Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Accept-Encoding: identity Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-Transcend-Version: 1 Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-Transcend-Version: 1 Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09242 Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-Platform: android Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-PlatformVersion: 4.3.1 Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-DeviceType: MOTO MB526 Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-AnyConnect-Identifier-Device-UniqueID: 3204AC2774689BF3BF1E47338D943701D0A46DA2 Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: X-Aggregate-Auth: 1 Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Content-Length: 22 Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP: Content-Type: application/x-www-form-urlencoded Nov 14 21:06:16 hostname ocserv[12714]: [client.ip.addr]:61768 HTTP POST /auth Nov 14 21:06:31 hostname ocserv[12711]: [client.ip.addr]:61768 command socket closed Nov 14 21:06:31 hostname ocserv[12711]: [client.ip.addr]:61768 auth deinit for user 'tony' And here's the ocserv.conf just in case: # User authentication method. Could be set multiple times and in # that case all should succeed. To enable multiple methods use # multiple auth directives. Available options: certificate, plain, pam. auth = "pam" # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname:encoded-password" # One entry must be listed per line, and ?ocpasswd? can be used # to generate password entries. #auth = "plain[/etc/ocserv/ocserv-passwd]" # A banner to be displayed on clients banner = "Welcome to OpenConnect Server" # Use listen-host to limit to specific IPs or to the IPs of a provided # hostname. listen-host = 0.0.0.0 # Limit the number of clients. Unset or set to zero for unlimited. max-clients = 16 # Limit the number of client connections to one every X milliseconds # (X is the provided value). Set to zero for no limit. #rate-limit-ms = 100 # Limit the number of identical clients (i.e., users connecting # multiple times). Unset or set to zero for unlimited. max-same-clients = 2 # TCP and UDP port number tcp-port = 443 udp-port = 443 # Keepalive in seconds keepalive = 32400 # Dead peer detection in seconds dpd = 240 # MTU discovery (DPD must be enabled) try-mtu-discovery = false # The key and the certificates of the server # The key may be a file, or any URL supported by GnuTLS (e.g., # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user # or pkcs11:object=my-vpn-key;object-type=private) # # There may be multiple certificate and key pairs and each key # should correspond to the preceding certificate. server-cert = /etc/ssl/certs/somecert.pem server-key = /etc/ssl/private/somekey.key # Diffie-Hellman parameters. Only needed if you require support # for the DHE ciphersuites (by default this server supports ECDHE). # Can be generated using: # certtool --generate-dh-params --outfile /path/to/dh.pem #dh-params = /path/to/dh.pem # If you have a certificate from a CA that provides an OCSP # service you may provide a fresh OCSP status response within # the TLS handshake. That will prevent the client from connecting # independently on the OCSP server. # You can update this response periodically using: # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response # Make sure that you replace the following file in an atomic way. #ocsp-response = /path/to/ocsp.der # In case PKCS #11 or TPM keys are used the PINs should be available # in files. The srk-pin-file is applicable to TPM keys only, and is the # storage root key. #pin-file = /path/to/pin.txt #srk-pin-file = /path/to/srkpin.txt # The Certificate Authority that will be used # to verify clients if certificate authentication # is set. #ca-cert = /path/to/ca.pem # The object identifier that will be used to read the user ID in the client # certificate. The object identifier should be part of the certificate?s DN # Useful OIDs are: # CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 #cert-user-oid = 0.9.2342.19200300.100.1.1 # The object identifier that will be used to read the user group in the # client certificate. The object identifier should be part of the certificate?s # DN. Useful OIDs are: # OU (organizational unit) = 2.5.4.11 #cert-group-oid = 2.5.4.11 # The revocation list of the certificates issued by the ?ca-cert? above. #crl = /path/to/crl.pem # GnuTLS priority string tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT" # To enforce perfect forward secrecy (PFS) on the main channel. #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" # The time (in seconds) that a client is allowed to stay connected prior # to authentication auth-timeout = 40 # The time (in seconds) that a client is not allowed to reconnect after # a failed authentication attempt. #min-reauth-time = 2 # Cookie validity time (in seconds) # Once a client is authenticated he?s provided a cookie with # which he can reconnect. This option sets the maximum lifetime # of that cookie. cookie-validity = 172800 # Script to call when a client connects and obtains an IP # Parameters are passed on the environment. # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP # in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON # may be "connect" or "disconnect". #connect-script = /usr/bin/myscript #disconnect-script = /usr/bin/myscript # UTMP use-utmp = true # PID file pid-file = /var/run/ocserv.pid # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) socket-file = /var/run/ocserv-socket # The user the worker processes will be run as. It should be # unique (no other services run as this user). run-as-user = nobody run-as-group = nogroup # # Network settings # # The name of the tun device device = vpns # The default domain to be advertised default-domain = example.com # The pool of addresses that leases will be given from. ipv4-network = 192.168.1.0 ipv4-netmask = 255.255.255.0 # The DNS advertized server # Use the keywork local to advertize the local P-t-P address as DNS server # ipv4-dns = local ipv4-dns = 8.8.8.8 # The NBNS server (if any) #ipv4-nbns = 192.168.1.3 # The same, but for IPv6. #ipv6-network = #ipv6-dns = #ipv6-nbns = # The IPv6 subnet prefix #ipv6-prefix = # Prior to leasing any IP from the pool ping it to verify that # it is not in use by another (unrelated to this server) host. ping-leases = false # Unset to assign the default MTU of the device # mtu = # Unset to enable bandwidth restrictions (in bytes/sec). The # setting here is global, but can also be set per user or per group. #rx-data-per-sec = 40000 #tx-data-per-sec = 40000 # The number of packets (of MTU size) that are available in # the output buffer. The default is low to improve latency. # Setting it higher will improve throughput. output-buffer = 10 # Routes to be forwarded to the client. If you need the # client to forward routes to the server, you may use the connect # and disconnect scripts. route = 192.168.1.0/255.255.255.0 # Configuration files that will be applied per user connection or # per group. Each file name on these directories must match the username # or the groupname. # The options allowed in the configuration files are ipv?-dns, ipv?-nbns, # ipv?-network, ipv?-netmask, ipv6-prefix, rx/tx-per-sec, iroute and route. # # Note that the ?iroute? option allows to add routes on the server # based on a user or group. The syntax depends on the input accepted # by the commands route-add-cmd and route-del-cmd (see below). #config-per-user = /etc/ocserv/config-per-user/ #config-per-group = /etc/ocserv/config-per-group/ # The system command to use to setup a route. %R will be replaced with the # route/mask and %D with the (tun) device. # # The following example is from linux systems. %R should be something # like 192.168.2.0/24 #route-add-cmd = "ip route add %R dev %D" #route-del-cmd = "ip route delete %R dev %D" # # The following options are for (experimental) AnyConnect client # compatibility. # Client profile xml. A sample file exists in doc/profile.xml. # This file must be accessible from inside the worker?s chroot. # It is not used by the openconnect client. user-profile = /etc/ocserv/profile.xml # Binary files that may be downloaded by the CISCO client. Must # be within any chroot environment. #binary-files = /path/to/binaries # Unless set to false it is required for clients to present their # certificate even if they are authenticating via a previously granted # cookie. Legacy CISCO clients do not do that, and thus this option # should be set for them. always-require-cert = false Actually I tried with several clients, and even if the authentication works, none of them can successfully create a VPN connection...but that's another topic. Thanks, TZ On 11/14/2013 4:54 AM, Nikos Mavrogiannopoulos wrote: > On Thu, Nov 14, 2013 at 2:41 AM, Tony Zhou <tonytzhou at gmail.com> wrote: >> Hi, >> I am trying to set ocserv up for RADIUS, and I am happy to find out that >> ocserv supports PAM, so I wrote a /etc/pam.d/ocserv like this: >> auth required /lib/security/pam_radius_auth.so >> ...But unfortunately it seems ocserv does not like this. What file does it >> read? > > ocserv is the pam name. However, I'd suggest to do the following: > 1. try a simple PAM module (e.g. unix passwords). Does it work? If not > send the debugging output of ocserv. > > 2. If (1) works try with pam_radius_auth. Do it now work? If not send > the debugging output of ocserv. > > regards, > Nikos >
