Hi Tobias, I found that paragraph just after writing my last email :)
The RADIUS Proxy is https://duo.com/docs/radius <https://duo.com/docs/radius> who have written back to me asking for logs so will see what they say. Kind regards, Christian Salway IT Consultant - Naimuri T: +44 7463 331432 E: [email protected] A: Naimuri Ltd, Capstan House, Manchester M50 2UW > On 11 Jul 2018, at 10:54, Tobias Brunner <[email protected]> wrote: > > Hi Christian, > >> Why would it fail after getting an approved access from RADIUS >> >> ... >> 12[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established > > If the EAP method is key-generating, which EAP-MSCHAPv2 is, the > authentication will not succeed without an MSK, which the RADIUS server > should provide in MS-MPPE-Send|Recv-Key attributes in the Access-Accept > message (see e.g. [1] for a note regarding older FreeRADIUS versions and > EAP-MSCHAPv2). > > Regards, > Tobias > > [1] > https://wiki.strongswan.org/projects/strongswan/wiki/EAPRADIUS#RADIUS-servers
