[strongSwan] Cannot get eap-radius working on Strongswan 5
Milen Pankov
mail at milen.pankov.eu
Sat Feb 21 10:52:53 CET 2015
On 02/20/2015 04:02 PM, Martin Willi wrote:
> Hi Milen,
>
>> 07[IKE] initiating EAP_IDENTITY method (id 0x00)
>> 07[IKE] peer supports MOBIKE
>> 07[IKE] authentication of '[...]' (myself) with RSA signature successful
>> 07[IKE] sending end entity cert "[...]"
>> 07[ENC] generating IKE_AUTH response 1 [IDr CERT AUTH EAP/REQ/ID ]
>> 07[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[4500] (1380 bytes)
>> 08[JOB] deleting half open IKE_SA after timeout
>
> The client requests EAP authentication, and your Gateway correctly sends
> an EAP-Identity request along with a signature and certificate to
> authentication itself to the client. The client, however, never
> continues negotiation. Most likely it didn't accept the AUTH signature
> or the corresponding certificate.
>
> You may check your clients log for any error, most likely the gateway
> certificate is not trusted on the client. I don't think this issue is
> directly related to RADIUS authentication, your AAA is not yet involved
> at this stage.
>
> Regards
> Martin
>
Hi Martin,
You are right, the problem was in the certificate, it seems wildcard
certificate doesn't work, while I thought it will. I didn't understand
that that was failing from the logs. Now I got this part working, but I
have another issue. It is related to the radius server also and I don't
know if this is the right place to ask but I would appreciate any help.
My new setup uses MD5 passwords in Radius, while my old config used
NT-hash. It seems now with radius-eap I have problems authenticating
against the MD5 passwords. It is using eap-mschapv2 and it seems it is
not a supported combination -
http://deployingradius.com/documents/protocols/compatibility.html. Can I
use other method from strongswan to authenticate against radius server
with md5 passwords?
Regards,
Milen
More information about the Users
mailing list