[strongSwan] WG: WG: unable to connect via Ubuntu 12.04 / strongswan-nm / eap-radius

Martin Shemon Martin.Shemon at parship.com
Tue May 20 08:09:54 CEST 2014


Hi Martin,

thanks for this fast reply :-)

i´ll answer between the lines (below)

-----Ursprüngliche Nachricht-----
Von: Martin Willi [mailto:martin at strongswan.org]
Gesendet: Montag, 19. Mai 2014 17:16
An: Martin Shemon
Cc: users at lists.strongswan.org
Betreff: Re: [strongSwan] WG: unable to connect via Ubuntu 12.04 / strongswan-nm / eap-radius

Hi,

> For me it looks like that the TLS connection to the radius server is 
> not working as expected.

> 11[CFG] sending RADIUS Access-Request to server '[here DNS Name RADIUS]'
> 11[CFG] received RADIUS Access-Reject from server '[here DNS Name RADIUS]'
> 11[IKE] RADIUS authentication of '[DOMAIN\username]' failed 11[IKE] 
> EAP method EAP_PEAP failed for peer [DOMAIN\username]
> charon: 11[ENC] generating IKE_AUTH response 6 [ EAP/FAIL ]

There is nothing wrong on your Gateway; it just forwards EAP authentication between clients and your AAA. You should take a look at your client and the terminating RADIUS server log.

The problem probably is that your AAA is proposing PEAP. On NM, you can configure a single server certificate only. 

--> AH, this is the possible Problem i think... :-/

Is the AAA PEAP certificate the same that you use to authenticate the gateway? 

--> no, there is a separate Certificate for our RADIUS Server, inside the log I see that the RADIUS Server shows his certificate to the client, but the client ignores it...

Does your AAA expect a client certificate to do mutual PEAP authentication before running the inner EAP method?

--> I think so. (is it possible to configure this inside the Ubuntu-strongswan-nm (compiled from source) ?



Regards
Martin



More information about the Users mailing list