Re: [strongSwan] Cannot get eap-radius working on Strongswan 5
Hi, > My new setup uses MD5 passwords in Radius, while my old config used > NT-hash. It seems now with radius-eap I have problems authenticating > against the MD5 passwords. It is using eap-mschapv2 and it seems it is > not a supported combination - This can't work, a server verifying clients with EAP-MSCHAPv2 needs the plain password or the NT-Hash of it. Any other password hash can't work with that protocol. > Can I use other method from strongswan to authenticate against radius > server with md5 passwords? This depends on your client. If you have Windows clients, there is probably no way around EAP-MSCHAPv2 for password authentication. Our EAP-GTC plugin exchanges plain passwords, so you basically could store password with any hash, but no such method is supported by Windows clients (and I don't know about FreeRADIUS). Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Cannot get eap-radius working on Strongswan 5
On 02/20/2015 04:02 PM, Martin Willi wrote: > Hi Milen, > >> 07[IKE] initiating EAP_IDENTITY method (id 0x00) >> 07[IKE] peer supports MOBIKE >> 07[IKE] authentication of '[...]' (myself) with RSA signature successful >> 07[IKE] sending end entity cert "[...]" >> 07[ENC] generating IKE_AUTH response 1 [IDr CERT AUTH EAP/REQ/ID ] >> 07[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[4500] (1380 bytes) >> 08[JOB] deleting half open IKE_SA after timeout > > The client requests EAP authentication, and your Gateway correctly sends > an EAP-Identity request along with a signature and certificate to > authentication itself to the client. The client, however, never > continues negotiation. Most likely it didn't accept the AUTH signature > or the corresponding certificate. > > You may check your clients log for any error, most likely the gateway > certificate is not trusted on the client. I don't think this issue is > directly related to RADIUS authentication, your AAA is not yet involved > at this stage. > > Regards > Martin > Hi Martin, You are right, the problem was in the certificate, it seems wildcard certificate doesn't work, while I thought it will. I didn't understand that that was failing from the logs. Now I got this part working, but I have another issue. It is related to the radius server also and I don't know if this is the right place to ask but I would appreciate any help. My new setup uses MD5 passwords in Radius, while my old config used NT-hash. It seems now with radius-eap I have problems authenticating against the MD5 passwords. It is using eap-mschapv2 and it seems it is not a supported combination - http://deployingradius.com/documents/protocols/compatibility.html. Can I use other method from strongswan to authenticate against radius server with md5 passwords? Regards, Milen ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Cannot get eap-radius working on Strongswan 5
I had a very similar experience recently. For me it turned out that the certificate had expired. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Cannot get eap-radius working on Strongswan 5
Hi Milen, > 07[IKE] initiating EAP_IDENTITY method (id 0x00) > 07[IKE] peer supports MOBIKE > 07[IKE] authentication of '[...]' (myself) with RSA signature successful > 07[IKE] sending end entity cert "[...]" > 07[ENC] generating IKE_AUTH response 1 [IDr CERT AUTH EAP/REQ/ID ] > 07[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[4500] (1380 bytes) > 08[JOB] deleting half open IKE_SA after timeout The client requests EAP authentication, and your Gateway correctly sends an EAP-Identity request along with a signature and certificate to authentication itself to the client. The client, however, never continues negotiation. Most likely it didn't accept the AUTH signature or the corresponding certificate. You may check your clients log for any error, most likely the gateway certificate is not trusted on the client. I don't think this issue is directly related to RADIUS authentication, your AAA is not yet involved at this stage. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Cannot get eap-radius working on Strongswan 5
Hi,
I have a working strongswan 4.4.1 setup with ikev2 and eap-radius which
I am trying to replicate on strongswan 5.2.0 without success.
My configuration is as follows:
ipsec.conf:
conn ipsec-ikev2
type=tunnel
keyexchange=ikev2
left=left_ip_address
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=left_cert.crt
right=%any
rightsourceip=10.1.0.0/23
rightauth=eap-radius
rightsendcert=never
eap_identity=%any
auto=add
strongswan.conf:
charon {
load_modular = yes
plugins {
eap-radius {
accounting = yes
load = yes
servers {
server-a {
address = the_radius_ip_address
port = 1818
secret = the_shared_secret
nas_identifier = strongSwan
}
}
}
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
I have compiled strongswan with --enable-eap-radius and eap-radius
module gets loaded on strongswan startup. However authentication on
client fails and running the radius server in debug mode shows that
strongswan doesn't even contact the radius server. Trying to
authenticate to the radius server from the same machine with radtest
works fine. The same configuration works fine with strongswan 4.4.1. I
am probably missing something new in ver.5, but I cannot figure what. I
think I have implemented everything the Wiki suggests. Any help would be
appreciated. This is the strongswan log for reference:
Feb 20 06:42:45 server1 charon: 02[NET] received packet: from
1.2.3.4[1024] to 5.6.7.8[500] (528 bytes)
Feb 20 06:42:45 server1 charon: 02[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 20 06:42:45 server1 charon: 02[IKE] 1.2.3.4 is initiating an IKE_SA
Feb 20 06:42:45 server1 charon: 02[IKE] remote host is behind NAT
Feb 20 06:42:45 server1 charon: 02[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb 20 06:42:45 server1 charon: 02[NET] sending packet: from
5.6.7.8[500] to 1.2.3.4[1024] (308 bytes)
Feb 20 06:42:46 server1 charon: 07[NET] received packet: from
1.2.3.4[4500] to 5.6.7.8[4500] (1028 bytes)
Feb 20 06:42:46 server1 charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi
CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Feb 20 06:42:46 server1 charon: 07[IKE] received cert request for "C=US,
ST=ANY, L=My City, O=MyO, OU=My VPN, CN=My CA, E=support@server1"
Feb 20 06:42:46 server1 charon: 07[IKE] received 34 cert requests for an
unknown ca
Feb 20 06:42:46 server1 charon: 07[CFG] looking for peer configs
matching 5.6.7.8[%any]...1.2.3.4[192.168.122.54]
Feb 20 06:42:46 server1 charon: 07[CFG] selected peer config 'ipsec-ikev2'
Feb 20 06:42:46 server1 charon: 07[IKE] initiating EAP_IDENTITY method
(id 0x00)
Feb 20 06:42:46 server1 charon: 07[IKE] peer supports MOBIKE
Feb 20 06:42:46 server1 charon: 07[IKE] authentication of 'C=US, ST=ANY,
L=My City, O=MyO, OU=My VPN, CN=*.vpn.server1.com, E=support@server1'
(myself) with RSA signature successful
Feb 20 06:42:46 server1 charon: 07[IKE] sending end entity cert "C=US,
ST=ANY, L=My City, O=MyO, OU=My VPN, CN=*.vpn.server1.com,
E=support@server1"
Feb 20 06:42:46 server1 charon: 07[ENC] generating IKE_AUTH response 1 [
IDr CERT AUTH EAP/REQ/ID ]
Feb 20 06:42:46 server1 charon: 07[NET] sending packet: from
5.6.7.8[4500] to 1.2.3.4[4500] (1380 bytes)
Feb 20 06:43:15 server1 charon: 08[JOB] deleting half open IKE_SA after
timeout
Regards,
Milen
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
