[strongSwan] eap-radius-md5-android

Thomas Will thomas.will at xinux.de
Tue Jan 6 12:54:18 CET 2015 

hello,

we are testing the implemantion and integration of strongswan over 
radius to ldap
-----
/etc/ipsec.conf
config setup
        charondebug="ike 6, knl 3, cfg 0, lib 2"
conn %default
       #pingsource=192.168.240.98
conn rw-eap
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev2
         left=quark.xxxx.com
         leftsubnet=192.168.240.0/21
         leftid=@quark.xxxx.com
         leftcert=xin-ca-quark.xxxx.com.crt
         leftauth=pubkey
         leftfirewall=yes
         rightid=%any
         rightsendcert=never
         rightauth=eap-radius
         eap_identity=%any
         right=%any
         auto=add
-----
/etc/stronswan.conf
charon {
         load_modular = yes
         plugins {
                 include strongswan.d/charon/*.conf
         eap-radius {
         secret = W0mbel-88
         server = 192.168.240.69
         }
         }
}
include strongswan.d/*.conf
-----

from our gateway - we got a positiv result

radtest badura.odinsraben 12suxer34  192.168.240.69 1812 W0mbel-88
Sending Access-Request of id 59 to 192.168.240.69 port 1812
     User-Name = "badura.odinsraben"
     User-Password = "12suxer34"
     NAS-IP-Address = 127.0.1.1
     NAS-Port = 1812
     Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.240.69 port 1812, 
id=59, length=20
-----------


after we tried to established a connection over strongswan - we get

----
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?
[ldap] user badura.odinsraben authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
ERROR: No authenticate method (Auth-Type) found for the request: 
Rejecting the user
Failed to authenticate the user.
----

i have 2 questions ...

1. what is wrong? is there any parameter in strongswan.conf missing?

2.  we use "rightid=%any" instead of "rightid=*@xxxx.com" ... where is 
the rightid option in the strongswan android app?

regards ...

-- 
thomas will
- xinux e.K.- networking - security - consulting - training   -
- novell certified linux professional - lpi level 2 certified -
- fon 06332 44040  - fax 06332 899227  - mobil 0170 52 18 548  -
- 66482 zweibruecken - wichernstr. 18  - http://www.xinux.de  -
- Amtsgericht  -  Registergericht  -  Zweibruecken - HRA 1518 -

More information about the Users mailing list