[strongSwan] WG: WG: unable to connect via Ubuntu 12.04 / strongswan-nm / eap-radius

Martin Shemon Martin.Shemon at parship.com
Tue May 20 08:10:15 CEST 2014 

Additional Information:

This ist he configuration is use on my RADIUS Server:

        eap {
                default_eap_type = peap
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                md5 {
                }
                leap {
                }
                gtc {
                        auth_type = PAP
                }
                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs
                        private_key_password = [HIDDEN]
                        private_key_file = ${certdir}/server.key
                        certificate_file = ${certdir}/server.pem
                        CA_file = ${cadir}/ca.pem
                        dh_file = ${certdir}/dh
                        random_file = ${certdir}/random
                        CA_path = ${cadir}
                        cipher_list = "DEFAULT"
                        make_cert_command = "${certdir}/bootstrap"
                        cache {
                              enable = no
                              lifetime = 24 # hours
                              max_entries = 255
                        }
                        verify {
                        }
                }
                ttls {
                        default_eap_type = md5
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        virtual_server = "inner-tunnel"
                }
                peap {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        virtual_server = "inner-tunnel"
                }
                mschapv2 {
                }
        }

-----Ursprüngliche Nachricht-----
Von: Martin Willi [mailto:martin at strongswan.org]
Gesendet: Montag, 19. Mai 2014 17:16
An: Martin Shemon
Cc: users at lists.strongswan.org
Betreff: Re: [strongSwan] WG: unable to connect via Ubuntu 12.04 / strongswan-nm / eap-radius

Hi,

> For me it looks like that the TLS connection to the radius server is 
> not working as expected.

> 11[CFG] sending RADIUS Access-Request to server '[here DNS Name RADIUS]'
> 11[CFG] received RADIUS Access-Reject from server '[here DNS Name RADIUS]'
> 11[IKE] RADIUS authentication of '[DOMAIN\username]' failed 11[IKE] 
> EAP method EAP_PEAP failed for peer [DOMAIN\username]
> charon: 11[ENC] generating IKE_AUTH response 6 [ EAP/FAIL ]

There is nothing wrong on your Gateway; it just forwards EAP authentication between clients and your AAA. You should take a look at your client and the terminating RADIUS server log.

The problem probably is that your AAA is proposing PEAP. On NM, you can configure a single server certificate only. Is the AAA PEAP certificate the same that you use to authenticate the gateway? Does your AAA expect a client certificate to do mutual PEAP authentication before running the inner EAP method?

Regards
Martin

More information about the Users mailing list