[strongSwan] eap-radius-md5-android

Ygor Amadeo Sartori Regados ygor.regados at openmailbox.org
Tue Jan 6 20:09:08 CET 2015 

Looks like your problem is in your RADIUS server configuration, not at
strongSwan's.

If you are using FreeRADIUS, have you configured EAP authentication? 
radtest
uses PAP authentication by default for the test. You may test EAP or 
MSCHAP
using "-t mschap" or "-t eap-md5".

Also, some EAP backends (e.g. EAP-MSCHAPv2, EAP-MD5) require the 
password to
be stored in plaintext or in special fields (NT and LM passwords for 
EAP-
MSCHAPv2).

On 2015-01-06 09:54, Thomas Will wrote:
> hello,
> 
> we are testing the implemantion and integration of strongswan over
> radius to ldap
> -----
> /etc/ipsec.conf
> config setup
>        charondebug="ike 6, knl 3, cfg 0, lib 2"
> conn %default
>       #pingsource=192.168.240.98
> conn rw-eap
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         left=quark.xxxx.com
>         leftsubnet=192.168.240.0/21
>         leftid=@quark.xxxx.com
>         leftcert=xin-ca-quark.xxxx.com.crt
>         leftauth=pubkey
>         leftfirewall=yes
>         rightid=%any
>         rightsendcert=never
>         rightauth=eap-radius
>         eap_identity=%any
>         right=%any
>         auto=add
> -----
> /etc/stronswan.conf
> charon {
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>         eap-radius {
>         secret = W0mbel-88
>         server = 192.168.240.69
>         }
>         }
> }
> include strongswan.d/*.conf
> -----
> 
> from our gateway - we got a positiv result
> 
> radtest badura.odinsraben 12suxer34  192.168.240.69 1812 W0mbel-88
> Sending Access-Request of id 59 to 192.168.240.69 port 1812
>     User-Name = "badura.odinsraben"
>     User-Password = "12suxer34"
>     NAS-IP-Address = 127.0.1.1
>     NAS-Port = 1812
>     Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Accept packet from host 192.168.240.69 port 1812,
> id=59, length=20
> -----------
> 
> 
> after we tried to established a connection over strongswan - we get
> 
> ----
> WARNING: No "known good" password was found in LDAP.  Are you sure
> that the user is configured correctly?
> [ldap] user badura.odinsraben authorized to use remote access
>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ERROR: No authenticate method (Auth-Type) found for the request:
> Rejecting the user
> Failed to authenticate the user.
> ----
> 
> i have 2 questions ...
> 
> 1. what is wrong? is there any parameter in strongswan.conf missing?
> 
> 2.  we use "rightid=%any" instead of "rightid=*@xxxx.com" ... where is
> the rightid option in the strongswan android app?
> 
> regards ...

More information about the Users mailing list