Hi Andreas,
Thank you for your reply. Below is the config file
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
eap-radius {
station_id_with_port = true
servers {
server-a {
address = 172.17.203.28
secret =
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
nas_identifier = nasid_vpngate
sockets = 5
}
}
}
}
}
include strongswan.d/*.conf
Windows 7 is doing EAP-MS-CHAP-v2 (not PEAP - just plain EAP). The conn section
looks like this:
conn vpnfw-ikev2
auto=add
keyexchange=ikev2
type=tunnel
left=148.85.1.171
leftauth=pubkey
leftcert=vpnfirewall-ng.pem
leftsubnet=172.17.0.0/16
right=%any
rightsourceip=172.17.6.0/24
rightauth=eap-radius
eap_identity=%identity
The resulting log looks like this:
Jan 19 10:20:44 vpngate1 charon: 13[ENC] generating IKE_AUTH response 1 [ IDr
CERT CERT CERT AUTH EAP/REQ/ID ]
Jan 19 10:20:44 vpngate1 charon: 13[NET] sending packet: from
148.85.1.171[4500] to 75.145.249.254[4500] (4900 bytes)
Jan 19 10:20:44 vpngate1 charon: 02[NET] sending packet: from
148.85.1.171[4500] to 75.145.249.254[4500]
Jan 19 10:20:44 vpngate1 charon: 15[NET] received packet: from
75.145.249.254[4500] to 148.85.1.171[4500]
Jan 19 10:20:44 vpngate1 charon: 15[NET] waiting for data on sockets
Jan 19 10:20:44 vpngate1 charon: 04[NET] received packet: from
75.145.249.254[4500] to 148.85.1.171[4500] (76 bytes)
Jan 19 10:20:44 vpngate1 charon: 04[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID
]
Jan 19 10:20:44 vpngate1 charon: 04[IKE] received EAP identity 'swplotner'
Jan 19 10:20:44 vpngate1 charon: 04[CFG] sending RADIUS Access-Request to
server 'server-a'
Jan 19 10:20:45 vpngate1 charon: 04[CFG] received RADIUS Access-Reject from
server 'server-a'
Jan 19 10:20:45 vpngate1 charon: 04[IKE] RADIUS authentication of 'swplotner'
failed
Jan 19 10:20:45 vpngate1 charon: 04[IKE] initiating EAP_RADIUS method failed
Jan 19 10:20:45 vpngate1 charon: 04[ENC] generating IKE_AUTH response 2 [
EAP/FAIL ]
Jan 19 10:20:45 vpngate1 charon: 04[NET] sending packet: from
148.85.1.171[4500] to 75.145.249.254[4500] (68 bytes)
Jan 19 10:20:45 vpngate1 charon: 02[NET] sending packet: from
148.85.1.171[4500] to 75.145.249.254[4500]
Jan 19 10:20:45 vpngate1 charon: 04[IKE] IKE_SA vpnfw-ikev2[1] state change:
CONNECTING => DESTROYING
So, the configured cert appears to work, it receives the identity of
'swplotner', the request to the radius server does not contain the MSCHAP
components.
No. Time Source Destination Protocol Info
1 0.000000 172.17.1.165 172.17.203.28 RADIUS
Access-Request(1) (id=206, l=159)
Frame 1 (201 bytes on wire, 201 bytes captured)
Ethernet II, Src: Vmware_a5:00:db (00:50:56:a5:00:db), Dst: Vmware_a5:00:74
(00:50:56:a5:00:74)
Internet Protocol, Src: 172.17.1.165 (172.17.1.165), Dst: 172.17.203.28
(172.17.203.28)
User Datagram Protocol, Src Port: 33610 (33610), Dst Port: radius (1812)
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0xce (206)
Length: 159
Authenticator: E5C63C2BBF627BB5F525603BC0698AE1
[The response to this request is in frame 2]
Attribute Value Pairs
AVP: l=11 t=User-Name(1): swplotner
AVP: l=6 t=NAS-Port-Type(61): Virtual(5)
AVP: l=6 t=Service-Type(6): Framed-User(2)
AVP: l=6 t=NAS-Port(5): 1
AVP: l=13 t=NAS-Port-Id(87): vpnfw-ikev2
AVP: l=6 t=NAS-IP-Address(4): 148.85.1.171
AVP: l=20 t=Called-Station-Id(30): 148.85.1.171[4500]
AVP: l=22 t=Calling-Station-Id(31): 75.145.249.254[4500]
AVP: l=16 t=EAP-Message(79) Last Segment[1]
AVP: l=15 t=NAS-Identifier(32): nasid_vpngate
AVP: l=18 t=Message-Authenticator(80): 6AFE310B6AB76524F1E2FDE5025BF5A2
No. Time Source Destination Protocol Info
2 0.530112 172.17.203.28 172.17.1.165 RADIUS
Access-Reject(3) (id=206, l=44)
Frame 2 (86 bytes on wire, 86 bytes captured)
Ethernet II, Src: Vmware_a5:00:74 (00:50:56:a5:00:74), Dst: Vmware_a5:00:db
(00:50:56:a5:00:db)
Internet Protocol, Src: 172.17.203.28 (172.17.203.28), Dst: 172.17.1.165
(172.17.1.165)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 33610 (33610)
Radius Protocol
Code: Access-Reject (3)
Packet identifier: 0xce (206)
Length: 44
Authenticator: 6AF4DD3698491B9A474B14A44B9DE8F8
[This is a response to a request in frame 1]
[Time from request: 0.530112000 seconds]
Attribute Value Pairs
AVP: l=6 t=EAP-Message(79) Last Segment[1]
AVP: l=18 t=Message-Authenticator(80):
06969B5F3315A5B9A695A2A712F30810
Steffen
_______________________________________________________________________________________________
Steffen Plotner Amherst College Tel (413)
542-2348
Systems/Network Administrator/Programmer PO BOX 5000 Fax (413)
542-2626
Systems & Networking Amherst, MA 01002-5000
[email protected]
> -----Original Message-----
> From: Andreas Steffen [mailto:[email protected]]
> Sent: Sunday, January 18, 2015 11:12 PM
> To: Steffen Plotner; '[email protected]'
> Subject: Re: [strongSwan] eap-radius integration
>
> Hi Steffen,
>
> without the actual ipsec.conf file and if possible a log file on the
> strongSwan VPN server it is difficult to diagnose your problem.
>
> Best regards
>
> Andreas Steffen
>
> On 19.01.2015 04:09, Steffen Plotner wrote:
> > Hi,
> > After several days of not finding another path, I am trying to see
> what
> > I have done wrong in terms of the eap-radius integration. It appears
> > Strongswan is producing an Access-Request packet with the following
> > attributes: User-name, NAS-Port-Type, Service-Type, NAS-Port,
> > NAS-Port-Id, NAS-IP-Address, Called-Station-ID, Calling-Station-Id,
> > EAP-Message (last segment), NAS-Identifier, Message-Authenticator.
> > One of the attributes for doing MS-CHAP-v2 is not in it. I thought
> that
> > those might be vendor specific attributes 26:311 (I have experimented
> > with the forwarding of attributes ike_to_radius = 26:311 but did not
> > change anything).
> > I have configured the eap-radius servers in strongswan to point first
> to
> > IAS 2003 and it fails, as it expects PEAP and cannot handle
> > EAP-MS-Chap-v2. I have then pointed it to a Windows 2008 NPS server
> and
> > it fails, with Access-Reject - looking at the packets I don't see the
> > MS-CHAP-v2 Challenge attribute coming through. [Short version: the
> > password is not coming through in the Access-Request when eap-radius
> is
> > involved]
> > The configuration is under IKEv2 type, I was able to bypass the radius
> > stuff by simply doing a righauth=eap-mschapv2 using a local secrets
> > file. I wanted to switch to radius based authentication and
> > authorization. The client is windows 7 - I have tried both EAP-MS-
> CHAPv2
> > and PEAP-MS-CHAPv2 with the eap-radius configuration and it did not
> work.
> > We are using strongswan-5.2.2 on centos6. I have looked at the
> examples
> > and just cannot get the password to come through, only the attributes
> I
> > initially listed.
> > Thank you for your help.
> > Steffen
> >
> ________________________________________________________________________
> _______________________
> > Steffen Plotner Amherst College
> > Tel (413) 542-2348
> > Systems/Network Administrator/Programmer PO BOX 5000
> > Fax (413) 542-2626
> > Systems & Networking Amherst, MA 01002-5000
> > [email protected]
> >
> >
> > _______________________________________________
> > Users mailing list
> > [email protected]
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
> --
> ======================================================================
> Andreas Steffen [email protected]
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
