Error: RADIUS-PLUGIN: FOREGROUND: common_name is not defined

[WW-build]

Hi,
I'm having issues while trying to establish VPN connection using Radius module for OpenVPN.
cat radius.cnf

NAS-Identifier=xxxx.domain.name
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=xxx.xxx.xxx.xxx
OpenVPNConfig=/etc/openvpn/server.conf
overwriteccfiles=false
server
{
acctport=1813
authport=1812
name=xxx.xxx.xxx.xxx
retry=1
wait=1
sharedsecret=xxxx
}

cat server.conf

port xxxx
proto tcp-server
dev tun0
tun-mtu 1392
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
daemon
mode server
tls-server
client-to-client
ifconfig-pool-persist /etc/openvpn/ip.sv
client-config-dir /etc/openvpn/ccd
sndbuf 393216
rcvbuf 393216
keepalive 10 120
max-clients 1000
user openvpn
group openvpn
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
crl-verify /etc/openvpn/crl.pem
verb 2
tun-mtu 1500
management xxx.xxx.xxx.xxx 5555
duplicate-cn
verify-client-cert none
username-as-common-name
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf

Can you please clarify what is exactly wrong with my configuration?

OS: Centos 7 x64

[de-conf]

Situation +1

[salmon5]

openvpn 2.4.x user this client-cert-not-required ,not verify-client-cert none
2.4.x bug?

[salmon5]

openvpn 2.4.x user this client-cert-not-required tested is good

[kpolucas]

Openvpn replace "client-cert-not-required" to "verify-client-cert"
Also, verify-client-cert has parameters,
So you need to change it in the Config.cpp
for something like this

// trim leading whitespace
string::size_type  pos = param.find_first_not_of(delims);
if (pos != string::npos) param.erase(0,pos );
pos=param.find_first_of(delims);
if (pos != string::npos) param.erase(pos);
if (param == "verify-client-cert")
{
        this->deletechars(&line);
        if (line == "verify-client-certoptional" || line == "verify-client-certnone")
        {
                this->clientcertnotrequired=true;
        }
}

And recompile

[fablarosa]

Thanks @kpolucas
I had the same problem on a fresh Ubuntu 18.04_LTS install with openvpn and openvpn-radius-plugin from the official Ubuntu repos as follows:

ii  openvpn                               2.4.4-2ubuntu1.3                                amd64        virtual private network daemon
ii  openvpn-auth-radius                   2.1-6build1                                     amd64        OpenVPN RADIUS authentication module

In my openvpn.conf I have the option verify-client-cert none because client-cert-not-required is deprecated.
Applying the patch you suggested the issue was fixed.

[alex-dot]

Hit the same problem as @fablarosa today with Debian 10 with current packages:

ii  openvpn                         2.4.7-1                         amd64        virtual private network daemon
ii  openvpn-auth-radius             2.1-7                           amd64        OpenVPN RADIUS authentication module

An easy fix until the packages are updated is to have both openvpn directives verify-client-cert none and client-cert-not-required in the server.conf file.

Since client-cert-not-required is "just" deprecated, openvpn prints a warning message but still runs, this way the plugin is still able to catch the (old) directive.

[nielspeen]

In more recent versions of OpenVPN client-cert-not-required is no longer just deprecated. Using it will prevent OpenVPN from starting. The patch provided by @kpolucas works well for me.

[maugli13]

@kpolucas thanks for the provided solution, however, the plugin didn't work with a Windows-based radius server (NPS)

The IP address was coming with incorrect length and the NPS server was reporting a malformed message error for Accounting-Request.

Did anybody try this plugin with Windows NPS?