[strongSwan] Cannot get eap-radius working on Strongswan 5

Martin Willi martin at strongswan.org
Mon Feb 23 10:58:20 CET 2015


Hi,

> My new setup uses MD5 passwords in Radius, while my old config used
> NT-hash. It seems now with radius-eap I have problems authenticating
> against the MD5 passwords. It is using eap-mschapv2 and it seems it is
> not a supported combination -

This can't work, a server verifying clients with EAP-MSCHAPv2 needs the
plain password or the NT-Hash of it. Any other password hash can't work
with that protocol.

> Can I use other method from strongswan to authenticate against radius
> server with md5 passwords?

This depends on your client. If you have Windows clients, there is
probably no way around EAP-MSCHAPv2 for password authentication. Our
EAP-GTC plugin exchanges plain passwords, so you basically could store
password with any hash, but no such method is supported by Windows
clients (and I don't know about FreeRADIUS).

Regards
Martin



More information about the Users mailing list