[strongSwan] eap-radius integration

Andreas Steffen andreas.steffen at strongswan.org
Mon Jan 19 05:12:04 CET 2015

Hi Steffen,

without the actual ipsec.conf file and if possible a log file on the
strongSwan VPN server it is difficult to diagnose your problem.

Best regards

Andreas Steffen

On 19.01.2015 04:09, Steffen Plotner wrote:
> Hi,
> After several days of not finding another path, I am trying to see what
> I have done wrong in terms of the eap-radius integration. It appears
> Strongswan is producing an Access-Request packet with the following
> attributes: User-name, NAS-Port-Type, Service-Type, NAS-Port,
> NAS-Port-Id, NAS-IP-Address, Called-Station-ID, Calling-Station-Id,
> EAP-Message (last segment), NAS-Identifier, Message-Authenticator.
> One of the attributes for doing MS-CHAP-v2 is not in it. I thought that
> those might be vendor specific attributes 26:311 (I have experimented
> with the forwarding of attributes ike_to_radius = 26:311 but did not
> change anything).
> I have configured the eap-radius servers in strongswan to point first to
> IAS 2003 and it fails, as it expects PEAP and cannot handle
> EAP-MS-Chap-v2. I have then pointed it to a Windows 2008 NPS server and
> it fails, with Access-Reject - looking at the packets I don't see the
> MS-CHAP-v2 Challenge attribute coming through. [Short version: the
> password is not coming through in the Access-Request when eap-radius is
> involved]
> The configuration is under IKEv2 type, I was able to bypass the radius
> stuff by simply doing a righauth=eap-mschapv2 using a local secrets
> file. I wanted to switch to radius based authentication and
> authorization. The client is windows 7 - I have tried both EAP-MS-CHAPv2
> and PEAP-MS-CHAPv2 with the eap-radius configuration and it did not work.
> We are using strongswan-5.2.2 on centos6. I have looked at the examples
> and just cannot get the password to come through, only the attributes I
> initially listed.
> Thank you for your help.
> Steffen
> _______________________________________________________________________________________________
> Steffen Plotner                            Amherst College
> Tel (413) 542-2348
> Systems/Network Administrator/Programmer   PO BOX 5000
> Fax (413) 542-2626
> Systems & Networking                       Amherst, MA 01002-5000
> swplotner at amherst.edu
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150119/31ca2a7c/attachment.bin>

More information about the Users mailing list