[strongSwan] strongSwan 5.0.1 with IKEv1 and freeradius

Wed Nov 14 12:48:35 CET 2012

Thanks to all!

Problem is solved. I forgot to include '--enable-eap-md5' in my 
./configure string:

./configure --sysconfdir=/etc --enable-eap-identity 
--enable-eap-mschapv2 --enable-md4 --enable-integrity-test 
--enable-test-vectors --enable-sql --enable-mysql --enable-xauth-eap 
--enable-eap-radius --enable-eap-md5

14.11.2012 13:22, Dmitry Korzhevin пишет:
> Hi,
>
> Thank you, Martin
>
> Seems, now strongSwan is connecting to radius server, but it is still
> can't autorize. I see interesting errors in log: /var/log/charon.log
>
> Nov 14 12:11:17 11[CFG] selected peer config "radius2"
> Nov 14 12:11:17 11[ENC] generating ID_PROT response 0 [ ID HASH ]
> Nov 14 12:11:17 11[NET] sending packet: from SERVER[4500] to CLIENT[4500]
> Nov 14 12:11:17 11[ENC] generating TRANSACTION request 586902352 [ HASH
> CP ]
> Nov 14 12:11:17 11[NET] sending packet: from SERVER[4500] to CLIENT[4500]
> Nov 14 12:11:17 12[NET] received packet: from CLIENT[4500] to SERVER[4500]
> Nov 14 12:11:17 12[ENC] parsed TRANSACTION response 586902352 [ HASH CP ]
> Nov 14 12:11:17 12[CFG] sending RADIUS Access-Request to server 'primary'
> Nov 14 12:11:17 12[CFG] received RADIUS Access-Challenge from server
> 'primary'
> Nov 14 12:11:17 12[IKE] XAuth-EAP backend requested EAP_MD5, but not
> supported
> Nov 14 12:11:17 12[IKE] XAuth authentication of 'user' failed
> Nov 14 12:11:17 12[ENC] generating TRANSACTION request 1740345844 [ HASH
> CP ]
> Nov 14 12:11:17 12[NET] sending packet: from 91.250.80.33[4500] to
> 89.252.56.204[4500]
> Nov 14 12:11:17 13[NET] received packet: from 89.252.56.204[4500] to
> 91.250.80.33[4500]
> Nov 14 12:11:17 13[ENC] parsed TRANSACTION response 1740345844 [ HASH CP ]
> Nov 14 12:11:17 13[IKE] destroying IKE_SA after failed XAuth authentication
>
> Seems, problem in "XAuth-EAP backend requested EAP_MD5, but not supported"
>
> On radius server, which i run with "freeradius -X" to debug purpose i see:
>
> http://dpaste.com/830855/
>
> 14.11.2012 12:47, Martin Willi пишет:
>> Hi Dimitry,
>>
>>> are strongSwan able to handle auth using freeradius as backend auth
>>> server for mac os x clients?
>>
>> Yes.
>>
>>> I compile strongSwan with --enable-eap-radius, radius is already
>>> configured and works with xl2tp (L2TP server).
>>
>> We have discussed this a few times already on this list:
>>
>> The eap-radius backend, as its name indicates, uses forwards EAP within
>> RADIUS to authenticate (usually IKEv2) users. We currently have no plain
>> RADIUS interface to verify User-Name/User-Password RADIUS attributes.
>>
>> IKEv1 clients, in contrast to IKEv2, can't speak EAP. They just send
>> plain username/password attributes in the XAuth exchange. But you can
>> use the xauth-eap backend: it allows your gateway to do an EAP exchange
>> (as client) with the RADIUS server using the received XAuth credentials.
>>
>> Have a look at [1] for the xauth-eap details.
>>
>> Regards
>> Martin
>>
>> [1]http://wiki.strongswan.org/projects/strongswan/wiki/XAuthEAP
>>
>
> Best Regards,
> Dmitry
>
> ---
> Dmitry KORZHEVIN
> System Administrator
> STIDIA S.A. - Luxembourg
>
> e: dmitry.korzhevin at stidia.com
> m: +38 093 874 5453
> w: http://www.stidia.com
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

Best Regards,
Dmitry

---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg

e: dmitry.korzhevin at stidia.com
m: +38 093 874 5453
w: http://www.stidia.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4488 bytes
Desc: ���������������������������������� �������������� S/MIME
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121114/d4831d81/attachment.bin>