Re: [strongSwan] eap-radius-md5-android

[Ygor Amadeo Sartori Regados]

Looks like your problem is in your RADIUS server configuration, not at
strongSwan's.
If you are using FreeRADIUS, have you configured EAP authentication? 
radtest
uses PAP authentication by default for the test. You may test EAP or 
MSCHAP
using "-t mschap" or "-t eap-md5".

Also, some EAP backends (e.g. EAP-MSCHAPv2, EAP-MD5) require the 
password to
be stored in plaintext or in special fields (NT and LM passwords for 
EAP-
MSCHAPv2).

On 2015-01-06 09:54, Thomas Will wrote:
hello,

we are testing the implemantion and integration of strongswan over
radius to ldap
-----
/etc/ipsec.conf
config setup
       charondebug="ike 6, knl 3, cfg 0, lib 2"
conn %default
      #pingsource=192.168.240.98
conn rw-eap
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        left=quark.xxxx.com
        leftsubnet=192.168.240.0/21
        leftid=@quark.xxxx.com
        leftcert=xin-ca-quark.xxxx.com.crt
        leftauth=pubkey
        leftfirewall=yes
        rightid=%any
        rightsendcert=never
        rightauth=eap-radius
        eap_identity=%any
        right=%any
        auto=add
-----
/etc/stronswan.conf
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        eap-radius {
        secret = W0mbel-88
        server = 192.168.240.69
        }
        }
}
include strongswan.d/*.conf
-----

from our gateway - we got a positiv result

radtest badura.odinsraben 12suxer34  192.168.240.69 1812 W0mbel-88
Sending Access-Request of id 59 to 192.168.240.69 port 1812
    User-Name = "badura.odinsraben"
    User-Password = "12suxer34"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 1812
    Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.240.69 port 1812,
id=59, length=20
-----------


after we tried to established a connection over strongswan - we get

----
WARNING: No "known good" password was found in LDAP.  Are you sure
that the user is configured correctly?
[ldap] user badura.odinsraben authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
----

i have 2 questions ...

1. what is wrong? is there any parameter in strongswan.conf missing?

2.  we use "rightid=%any" instead of "rightid=*@xxxx.com" ... where is
the rightid option in the strongswan android app?

regards ...

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users