Hi, Well, I figured it out - on the NPS Windows 2008 server, the "Network Policy" "Network connection method" must be specified of type "Unspecified" to support the radius Access-Challenge expected response for strongswan to continue the conversation and eventually be authenticed.
I apologize for not realizing this. There are a lot of knobs/knöpfe one can change... Steffen _______________________________________________________________________________________________ Steffen Plotner Amherst College Tel (413) 542-2348 Systems/Network Administrator/Programmer PO BOX 5000 Fax (413) 542-2626 Systems & Networking Amherst, MA 01002-5000 [email protected] > -----Original Message----- > From: Steffen Plotner > Sent: Monday, January 19, 2015 10:31 AM > To: 'Andreas Steffen'; '[email protected]' > Subject: RE: [strongSwan] eap-radius integration > > Hi Andreas, > > Thank you for your reply. Below is the config file > > charon { > load_modular = yes > > plugins { > include strongswan.d/charon/*.conf > > eap-radius { > station_id_with_port = true > > servers { > server-a { > address = 172.17.203.28 > secret = > zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz > nas_identifier = nasid_vpngate > sockets = 5 > } > } > } > } > } > > include strongswan.d/*.conf > > Windows 7 is doing EAP-MS-CHAP-v2 (not PEAP - just plain EAP). The conn > section looks like this: > > conn vpnfw-ikev2 > auto=add > keyexchange=ikev2 > type=tunnel > > left=148.85.1.171 > leftauth=pubkey > leftcert=vpnfirewall-ng.pem > leftsubnet=172.17.0.0/16 > > right=%any > rightsourceip=172.17.6.0/24 > rightauth=eap-radius > eap_identity=%identity > > The resulting log looks like this: > Jan 19 10:20:44 vpngate1 charon: 13[ENC] generating IKE_AUTH response 1 > [ IDr CERT CERT CERT AUTH EAP/REQ/ID ] > Jan 19 10:20:44 vpngate1 charon: 13[NET] sending packet: from > 148.85.1.171[4500] to 75.145.249.254[4500] (4900 bytes) > Jan 19 10:20:44 vpngate1 charon: 02[NET] sending packet: from > 148.85.1.171[4500] to 75.145.249.254[4500] > Jan 19 10:20:44 vpngate1 charon: 15[NET] received packet: from > 75.145.249.254[4500] to 148.85.1.171[4500] > Jan 19 10:20:44 vpngate1 charon: 15[NET] waiting for data on sockets > Jan 19 10:20:44 vpngate1 charon: 04[NET] received packet: from > 75.145.249.254[4500] to 148.85.1.171[4500] (76 bytes) > Jan 19 10:20:44 vpngate1 charon: 04[ENC] parsed IKE_AUTH request 2 [ > EAP/RES/ID ] > Jan 19 10:20:44 vpngate1 charon: 04[IKE] received EAP identity > 'swplotner' > Jan 19 10:20:44 vpngate1 charon: 04[CFG] sending RADIUS Access-Request > to server 'server-a' > Jan 19 10:20:45 vpngate1 charon: 04[CFG] received RADIUS Access-Reject > from server 'server-a' > Jan 19 10:20:45 vpngate1 charon: 04[IKE] RADIUS authentication of > 'swplotner' failed > Jan 19 10:20:45 vpngate1 charon: 04[IKE] initiating EAP_RADIUS method > failed > Jan 19 10:20:45 vpngate1 charon: 04[ENC] generating IKE_AUTH response 2 > [ EAP/FAIL ] > Jan 19 10:20:45 vpngate1 charon: 04[NET] sending packet: from > 148.85.1.171[4500] to 75.145.249.254[4500] (68 bytes) > Jan 19 10:20:45 vpngate1 charon: 02[NET] sending packet: from > 148.85.1.171[4500] to 75.145.249.254[4500] > Jan 19 10:20:45 vpngate1 charon: 04[IKE] IKE_SA vpnfw-ikev2[1] state > change: CONNECTING => DESTROYING > > So, the configured cert appears to work, it receives the identity of > 'swplotner', the request to the radius server does not contain the > MSCHAP components. > > No. Time Source Destination Protocol > Info > 1 0.000000 172.17.1.165 172.17.203.28 RADIUS > Access-Request(1) (id=206, l=159) > > Frame 1 (201 bytes on wire, 201 bytes captured) > Ethernet II, Src: Vmware_a5:00:db (00:50:56:a5:00:db), Dst: > Vmware_a5:00:74 (00:50:56:a5:00:74) > Internet Protocol, Src: 172.17.1.165 (172.17.1.165), Dst: 172.17.203.28 > (172.17.203.28) > User Datagram Protocol, Src Port: 33610 (33610), Dst Port: radius (1812) > Radius Protocol > Code: Access-Request (1) > Packet identifier: 0xce (206) > Length: 159 > Authenticator: E5C63C2BBF627BB5F525603BC0698AE1 > [The response to this request is in frame 2] > Attribute Value Pairs > AVP: l=11 t=User-Name(1): swplotner > AVP: l=6 t=NAS-Port-Type(61): Virtual(5) > AVP: l=6 t=Service-Type(6): Framed-User(2) > AVP: l=6 t=NAS-Port(5): 1 > AVP: l=13 t=NAS-Port-Id(87): vpnfw-ikev2 > AVP: l=6 t=NAS-IP-Address(4): 148.85.1.171 > AVP: l=20 t=Called-Station-Id(30): 148.85.1.171[4500] > AVP: l=22 t=Calling-Station-Id(31): 75.145.249.254[4500] > AVP: l=16 t=EAP-Message(79) Last Segment[1] > AVP: l=15 t=NAS-Identifier(32): nasid_vpngate > AVP: l=18 t=Message-Authenticator(80): > 6AFE310B6AB76524F1E2FDE5025BF5A2 > > No. Time Source Destination Protocol > Info > 2 0.530112 172.17.203.28 172.17.1.165 RADIUS > Access-Reject(3) (id=206, l=44) > > Frame 2 (86 bytes on wire, 86 bytes captured) > Ethernet II, Src: Vmware_a5:00:74 (00:50:56:a5:00:74), Dst: > Vmware_a5:00:db (00:50:56:a5:00:db) > Internet Protocol, Src: 172.17.203.28 (172.17.203.28), Dst: 172.17.1.165 > (172.17.1.165) > User Datagram Protocol, Src Port: radius (1812), Dst Port: 33610 (33610) > Radius Protocol > Code: Access-Reject (3) > Packet identifier: 0xce (206) > Length: 44 > Authenticator: 6AF4DD3698491B9A474B14A44B9DE8F8 > [This is a response to a request in frame 1] > [Time from request: 0.530112000 seconds] > Attribute Value Pairs > AVP: l=6 t=EAP-Message(79) Last Segment[1] > AVP: l=18 t=Message-Authenticator(80): > 06969B5F3315A5B9A695A2A712F30810 > > Steffen > > > ________________________________________________________________________ > _______________________ > Steffen Plotner Amherst College > Tel (413) 542-2348 > Systems/Network Administrator/Programmer PO BOX 5000 > Fax (413) 542-2626 > Systems & Networking Amherst, MA 01002-5000 > [email protected] > > > > -----Original Message----- > > From: Andreas Steffen [mailto:[email protected]] > > Sent: Sunday, January 18, 2015 11:12 PM > > To: Steffen Plotner; '[email protected]' > > Subject: Re: [strongSwan] eap-radius integration > > > > Hi Steffen, > > > > without the actual ipsec.conf file and if possible a log file on the > > strongSwan VPN server it is difficult to diagnose your problem. > > > > Best regards > > > > Andreas Steffen > > > > On 19.01.2015 04:09, Steffen Plotner wrote: > > > Hi, > > > After several days of not finding another path, I am trying to see > > what > > > I have done wrong in terms of the eap-radius integration. It appears > > > Strongswan is producing an Access-Request packet with the following > > > attributes: User-name, NAS-Port-Type, Service-Type, NAS-Port, > > > NAS-Port-Id, NAS-IP-Address, Called-Station-ID, Calling-Station-Id, > > > EAP-Message (last segment), NAS-Identifier, Message-Authenticator. > > > One of the attributes for doing MS-CHAP-v2 is not in it. I thought > > that > > > those might be vendor specific attributes 26:311 (I have > experimented > > > with the forwarding of attributes ike_to_radius = 26:311 but did not > > > change anything). > > > I have configured the eap-radius servers in strongswan to point > first > > to > > > IAS 2003 and it fails, as it expects PEAP and cannot handle > > > EAP-MS-Chap-v2. I have then pointed it to a Windows 2008 NPS server > > and > > > it fails, with Access-Reject - looking at the packets I don't see > the > > > MS-CHAP-v2 Challenge attribute coming through. [Short version: the > > > password is not coming through in the Access-Request when eap-radius > > is > > > involved] > > > The configuration is under IKEv2 type, I was able to bypass the > radius > > > stuff by simply doing a righauth=eap-mschapv2 using a local secrets > > > file. I wanted to switch to radius based authentication and > > > authorization. The client is windows 7 - I have tried both EAP-MS- > > CHAPv2 > > > and PEAP-MS-CHAPv2 with the eap-radius configuration and it did not > > work. > > > We are using strongswan-5.2.2 on centos6. I have looked at the > > examples > > > and just cannot get the password to come through, only the > attributes > > I > > > initially listed. > > > Thank you for your help. > > > Steffen > > > > > > ________________________________________________________________________ > > _______________________ > > > Steffen Plotner Amherst College > > > Tel (413) 542-2348 > > > Systems/Network Administrator/Programmer PO BOX 5000 > > > Fax (413) 542-2626 > > > Systems & Networking Amherst, MA 01002-5000 > > > [email protected] > > > > > > > > > _______________________________________________ > > > Users mailing list > > > [email protected] > > > https://lists.strongswan.org/mailman/listinfo/users > > > > > > > -- > > ====================================================================== > > Andreas Steffen [email protected] > > strongSwan - the Open Source VPN Solution! www.strongswan.org > > Institute for Internet Technologies and Applications > > University of Applied Sciences Rapperswil > > CH-8640 Rapperswil (Switzerland) > > ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
