Hi, Thank you, Martin
Seems, now strongSwan is connecting to radius server, but it is still can't autorize. I see interesting errors in log: /var/log/charon.log
Nov 14 12:11:17 11[CFG] selected peer config "radius2" Nov 14 12:11:17 11[ENC] generating ID_PROT response 0 [ ID HASH ] Nov 14 12:11:17 11[NET] sending packet: from SERVER[4500] to CLIENT[4500] Nov 14 12:11:17 11[ENC] generating TRANSACTION request 586902352 [ HASH CP ] Nov 14 12:11:17 11[NET] sending packet: from SERVER[4500] to CLIENT[4500] Nov 14 12:11:17 12[NET] received packet: from CLIENT[4500] to SERVER[4500] Nov 14 12:11:17 12[ENC] parsed TRANSACTION response 586902352 [ HASH CP ] Nov 14 12:11:17 12[CFG] sending RADIUS Access-Request to server 'primary'Nov 14 12:11:17 12[CFG] received RADIUS Access-Challenge from server 'primary' Nov 14 12:11:17 12[IKE] XAuth-EAP backend requested EAP_MD5, but not supported
Nov 14 12:11:17 12[IKE] XAuth authentication of 'user' failedNov 14 12:11:17 12[ENC] generating TRANSACTION request 1740345844 [ HASH CP ] Nov 14 12:11:17 12[NET] sending packet: from 91.250.80.33[4500] to 89.252.56.204[4500] Nov 14 12:11:17 13[NET] received packet: from 89.252.56.204[4500] to 91.250.80.33[4500]
Nov 14 12:11:17 13[ENC] parsed TRANSACTION response 1740345844 [ HASH CP ] Nov 14 12:11:17 13[IKE] destroying IKE_SA after failed XAuth authentication Seems, problem in "XAuth-EAP backend requested EAP_MD5, but not supported" On radius server, which i run with "freeradius -X" to debug purpose i see: http://dpaste.com/830855/ 14.11.2012 12:47, Martin Willi пишет:
Hi Dimitry,are strongSwan able to handle auth using freeradius as backend auth server for mac os x clients?Yes.I compile strongSwan with --enable-eap-radius, radius is already configured and works with xl2tp (L2TP server).We have discussed this a few times already on this list: The eap-radius backend, as its name indicates, uses forwards EAP within RADIUS to authenticate (usually IKEv2) users. We currently have no plain RADIUS interface to verify User-Name/User-Password RADIUS attributes. IKEv1 clients, in contrast to IKEv2, can't speak EAP. They just send plain username/password attributes in the XAuth exchange. But you can use the xauth-eap backend: it allows your gateway to do an EAP exchange (as client) with the RADIUS server using the received XAuth credentials. Have a look at [1] for the xauth-eap details. Regards Martin [1]http://wiki.strongswan.org/projects/strongswan/wiki/XAuthEAP
Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: [email protected] m: +38 093 874 5453 w: http://www.stidia.com
smime.p7s
Description: Криптографическая подпись S/MIME
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
