[strongSwan] strongSwan 5.0.1 with IKEv1 and freeradius

Wed Nov 14 12:22:12 CET 2012

Hi,

Thank you, Martin

Seems, now strongSwan is connecting to radius server, but it is still 
can't autorize. I see interesting errors in log: /var/log/charon.log

Nov 14 12:11:17 11[CFG] selected peer config "radius2"
Nov 14 12:11:17 11[ENC] generating ID_PROT response 0 [ ID HASH ]
Nov 14 12:11:17 11[NET] sending packet: from SERVER[4500] to CLIENT[4500]
Nov 14 12:11:17 11[ENC] generating TRANSACTION request 586902352 [ HASH CP ]
Nov 14 12:11:17 11[NET] sending packet: from SERVER[4500] to CLIENT[4500]
Nov 14 12:11:17 12[NET] received packet: from CLIENT[4500] to SERVER[4500]
Nov 14 12:11:17 12[ENC] parsed TRANSACTION response 586902352 [ HASH CP ]
Nov 14 12:11:17 12[CFG] sending RADIUS Access-Request to server 'primary'
Nov 14 12:11:17 12[CFG] received RADIUS Access-Challenge from server 
'primary'
Nov 14 12:11:17 12[IKE] XAuth-EAP backend requested EAP_MD5, but not 
supported
Nov 14 12:11:17 12[IKE] XAuth authentication of 'user' failed
Nov 14 12:11:17 12[ENC] generating TRANSACTION request 1740345844 [ HASH 
CP ]
Nov 14 12:11:17 12[NET] sending packet: from 91.250.80.33[4500] to 
89.252.56.204[4500]
Nov 14 12:11:17 13[NET] received packet: from 89.252.56.204[4500] to 
91.250.80.33[4500]
Nov 14 12:11:17 13[ENC] parsed TRANSACTION response 1740345844 [ HASH CP ]
Nov 14 12:11:17 13[IKE] destroying IKE_SA after failed XAuth authentication

Seems, problem in "XAuth-EAP backend requested EAP_MD5, but not supported"

On radius server, which i run with "freeradius -X" to debug purpose i see:

http://dpaste.com/830855/

14.11.2012 12:47, Martin Willi пишет:
> Hi Dimitry,
>
>> are strongSwan able to handle auth using freeradius as backend auth
>> server for mac os x clients?
>
> Yes.
>
>> I compile strongSwan with --enable-eap-radius, radius is already
>> configured and works with xl2tp (L2TP server).
>
> We have discussed this a few times already on this list:
>
> The eap-radius backend, as its name indicates, uses forwards EAP within
> RADIUS to authenticate (usually IKEv2) users. We currently have no plain
> RADIUS interface to verify User-Name/User-Password RADIUS attributes.
>
> IKEv1 clients, in contrast to IKEv2, can't speak EAP. They just send
> plain username/password attributes in the XAuth exchange. But you can
> use the xauth-eap backend: it allows your gateway to do an EAP exchange
> (as client) with the RADIUS server using the received XAuth credentials.
>
> Have a look at [1] for the xauth-eap details.
>
> Regards
> Martin
>
> [1]http://wiki.strongswan.org/projects/strongswan/wiki/XAuthEAP
>

Best Regards,
Dmitry

---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg

e: dmitry.korzhevin at stidia.com
m: +38 093 874 5453
w: http://www.stidia.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4488 bytes
Desc: ���������������������������������� �������������� S/MIME
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121114/69655020/attachment.bin>