[strongSwan] Strange garbling/mangling of EAP identity from certain clients

brent s. bts at square-r00t.net
Mon Dec 24 07:13:18 CET 2018 

Hello all!

So first, the setup.


GOAL:
RADIUS-backed (remote server) EAP client authentication with X.509-based
server authentication/identification (via Let's Encrypt
certificate/chain/key).
Pushed default route with dual-stack client address pools.


CLIENT PLATFORMS:
Windows 7+ (Windows 10 tested; not working)
iOS 9.3.5 (iPad tested; not working)
iOS 12.1 (iPhone tested; not working)
macOS (untested)
Android app (tested; working fine on version 2.0.2)
Arch Linux strongSwan (tested; working fine on version 5.7.1)


SERVER PLATFORM (strongSwan)
CentOS 7.5.1804
strongSwan: strongswan-5.7.1-1.el7.x86_64 RPM (via EPEL)


SERVER PLATFORM (RADIUS)
CentOS 7.5.1804
FreeRADIUS: freeradius-3.0.13-9.el7_5.x86_64 RPM (via updates)
            backend: openLDAP 2.4.44

Links to pastebins for logs from all of the above are at the bottom.



I'm noticing that when certain clients - so far I've seen it in iOS and
Windows 10 - connect, they're sending garbled usernames to the RADIUS
server. Such as:

User-Name = "\300\250\001\335"
(iOS 9.3.5)

User-Name = "&\001\002\203B\003+\027\rɰ:C\213\236\004"
(iOS 10.x? 11.x?)

User-Name = "\300\250\001\024"
(iOS 12.1)

User-Name = "\n\001\001\347"
(Windows 10)



On Windows 10, Event Viewer reports:

"The user <USERNAME> dialed a connection named <CONN_NAME> which has
failed. The error code returned on failure is 812."

Per
https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
(#3), error code 812 is:

DESC: "The connection was prevented because of a policy configured on
your RAS/VPN server. Specifically, the authentication method used by the
server to verify your username and password may not match the
authentication method configured in your connection profile. Please
contact the Administrator of the RAS server and notify them of this error."

POSS. CAUSE(S): "Error 812 comes when Authentication protocol is set via
NPS (Network Policy and Access Services) otherwise Error 732/734."

POSS. SOLUTION(S): "Configure a more secured authentication protocol
like MS-CHAPv2 or EAP based authentication on the server – which matches
the settings on the client side."




All fine and dandy, except... I thought I was already using EAP
(reference linked logs).

Has anyone seen this before? Any ideas? Logs and swanctl.conf links are
below (had to pastebin; combined filesize was too large to post!).
They've been anonymized with the following values, but it should make sense:


VALUES:
1.) 128.66.0.1
2.) 128.66.0.2
3.) 128.66.0.3
4.) 128.66.0.4
5.) 128.66.2.0/24
6.) 2001:DB8::fe0b:f03c:9b31:91ff
7.) 2001:DB8::b03a:dc9:9e04:440b
8.) fe80::fe0b:f03c:9b31:91ff
9.) ike4.example.invalid
10.) ike6.example.invalid
11.) 128.66.1.0/24
12.) 2001:DB8:d5f::/112
13.) radius.example.invalid
14.) username_one
15.) password_one
16.) username_two
17.) password_two

CONTEXT:
1.) strongSwan server WAN (IPv4) (address is RFC 5737)
2.) FreeRADIUS server (public, IPv4)
3.) client "foo" (public, IPv4)
4.) client "baz" (public, IPv4)
5.) client "foo" (LAN)
6.) strongSwan server WAN (IPv6) (address is RFC 3849)
7.) client "bar" (public, IPv6)
8.) strongSwan server link-local
9.) strongSwan/LE cert FQDN (A) (2nd-level and TLD are RFC 2606)
10.) strongSwan/LE cert FQDN (AAAA)
11.) tunnel IPv4 pool
12.) tunnel IPv6 pool
13.) FreeRADIUS server
14.) an example user
15.) matching password for #14
16.) another example user
17.) matching password for #16


LINKS/LOGS:
strongSwan:
https://pastebin.com/2y7pH3jw = swanctl.conf
https://pastebin.com/sgewyZJk = charon_debug.log (Android)
https://pastebin.com/bQdhcYVi = charon_debug.log (Arch Linux)
https://pastebin.com/4fpX5tjk = charon_debug.log (iOS 9.3.5)
https://pastebin.com/qVvVzrmP = charon_debug.log (iOS 12.1)
https://pastebin.com/vWaxX03q = charon_debug.log (Windows 10)

FreeRADIUS, OpenLDAP:
https://pastebin.com/KHwtgDkD = authlog (Android)
https://pastebin.com/RRWg42Af = authlog (Arch Linux)
https://pastebin.com/Afxusn3d = authlog (iOS 9.3.5)
https://pastebin.com/W5aQWmpz = authlog (iOS 12.1)
https://pastebin.com/UJFpr8qz = authlog (Windows 10)



By the way, merry Christmas and happy holidays to you and yours.

-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181224/ea8e5328/attachment.sig>

More information about the Users mailing list