[strongSwan] eap-radius integration

Steffen Plotner swplotner at amherst.edu
Mon Jan 19 16:30:59 CET 2015


Hi Andreas,

Thank you for your reply. Below is the config file

charon {
	load_modular = yes

	plugins {
		include strongswan.d/charon/*.conf
		
		eap-radius {
			station_id_with_port = true
			
			servers {
				server-a {
					address = 172.17.203.28
					secret = zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
					nas_identifier = nasid_vpngate
					sockets = 5
				}
			}
		}
	}
}

include strongswan.d/*.conf

Windows 7 is doing EAP-MS-CHAP-v2 (not PEAP - just plain EAP). The conn section looks like this:

conn vpnfw-ikev2
	auto=add
	keyexchange=ikev2
	type=tunnel
	
	left=148.85.1.171
	leftauth=pubkey
	leftcert=vpnfirewall-ng.pem
	leftsubnet=172.17.0.0/16
	
	right=%any
	rightsourceip=172.17.6.0/24
	rightauth=eap-radius
	eap_identity=%identity
	
The resulting log looks like this:
Jan 19 10:20:44 vpngate1 charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/ID ]
Jan 19 10:20:44 vpngate1 charon: 13[NET] sending packet: from 148.85.1.171[4500] to 75.145.249.254[4500] (4900 bytes)
Jan 19 10:20:44 vpngate1 charon: 02[NET] sending packet: from 148.85.1.171[4500] to 75.145.249.254[4500]
Jan 19 10:20:44 vpngate1 charon: 15[NET] received packet: from 75.145.249.254[4500] to 148.85.1.171[4500]
Jan 19 10:20:44 vpngate1 charon: 15[NET] waiting for data on sockets
Jan 19 10:20:44 vpngate1 charon: 04[NET] received packet: from 75.145.249.254[4500] to 148.85.1.171[4500] (76 bytes)
Jan 19 10:20:44 vpngate1 charon: 04[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jan 19 10:20:44 vpngate1 charon: 04[IKE] received EAP identity 'swplotner'
Jan 19 10:20:44 vpngate1 charon: 04[CFG] sending RADIUS Access-Request to server 'server-a'
Jan 19 10:20:45 vpngate1 charon: 04[CFG] received RADIUS Access-Reject from server 'server-a'
Jan 19 10:20:45 vpngate1 charon: 04[IKE] RADIUS authentication of 'swplotner' failed
Jan 19 10:20:45 vpngate1 charon: 04[IKE] initiating EAP_RADIUS method failed
Jan 19 10:20:45 vpngate1 charon: 04[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
Jan 19 10:20:45 vpngate1 charon: 04[NET] sending packet: from 148.85.1.171[4500] to 75.145.249.254[4500] (68 bytes)
Jan 19 10:20:45 vpngate1 charon: 02[NET] sending packet: from 148.85.1.171[4500] to 75.145.249.254[4500]
Jan 19 10:20:45 vpngate1 charon: 04[IKE] IKE_SA vpnfw-ikev2[1] state change: CONNECTING => DESTROYING

So, the configured cert appears to work, it receives the identity of 'swplotner', the request to the radius server does not contain the MSCHAP components.

No.     Time        Source                Destination           Protocol Info
      1 0.000000    172.17.1.165          172.17.203.28         RADIUS   Access-Request(1) (id=206, l=159)

Frame 1 (201 bytes on wire, 201 bytes captured)
Ethernet II, Src: Vmware_a5:00:db (00:50:56:a5:00:db), Dst: Vmware_a5:00:74 (00:50:56:a5:00:74)
Internet Protocol, Src: 172.17.1.165 (172.17.1.165), Dst: 172.17.203.28 (172.17.203.28)
User Datagram Protocol, Src Port: 33610 (33610), Dst Port: radius (1812)
Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0xce (206)
    Length: 159
    Authenticator: E5C63C2BBF627BB5F525603BC0698AE1
    [The response to this request is in frame 2]
    Attribute Value Pairs
        AVP: l=11  t=User-Name(1): swplotner
        AVP: l=6  t=NAS-Port-Type(61): Virtual(5)
        AVP: l=6  t=Service-Type(6): Framed-User(2)
        AVP: l=6  t=NAS-Port(5): 1
        AVP: l=13  t=NAS-Port-Id(87): vpnfw-ikev2
        AVP: l=6  t=NAS-IP-Address(4): 148.85.1.171
        AVP: l=20  t=Called-Station-Id(30): 148.85.1.171[4500]
        AVP: l=22  t=Calling-Station-Id(31): 75.145.249.254[4500]
        AVP: l=16  t=EAP-Message(79) Last Segment[1]
        AVP: l=15  t=NAS-Identifier(32): nasid_vpngate
        AVP: l=18  t=Message-Authenticator(80): 6AFE310B6AB76524F1E2FDE5025BF5A2

No.     Time        Source                Destination           Protocol Info
      2 0.530112    172.17.203.28         172.17.1.165          RADIUS   Access-Reject(3) (id=206, l=44)

Frame 2 (86 bytes on wire, 86 bytes captured)
Ethernet II, Src: Vmware_a5:00:74 (00:50:56:a5:00:74), Dst: Vmware_a5:00:db (00:50:56:a5:00:db)
Internet Protocol, Src: 172.17.203.28 (172.17.203.28), Dst: 172.17.1.165 (172.17.1.165)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 33610 (33610)
Radius Protocol
    Code: Access-Reject (3)
    Packet identifier: 0xce (206)
    Length: 44
    Authenticator: 6AF4DD3698491B9A474B14A44B9DE8F8
    [This is a response to a request in frame 1]
    [Time from request: 0.530112000 seconds]
    Attribute Value Pairs
        AVP: l=6  t=EAP-Message(79) Last Segment[1]
        AVP: l=18  t=Message-Authenticator(80): 06969B5F3315A5B9A695A2A712F30810	

Steffen	


_______________________________________________________________________________________________
Steffen Plotner                            Amherst College            Tel (413) 542-2348
Systems/Network Administrator/Programmer   PO BOX 5000                Fax (413) 542-2626
Systems & Networking                       Amherst, MA 01002-5000     swplotner at amherst.edu


> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Sunday, January 18, 2015 11:12 PM
> To: Steffen Plotner; 'users at lists.strongswan.org'
> Subject: Re: [strongSwan] eap-radius integration
> 
> Hi Steffen,
> 
> without the actual ipsec.conf file and if possible a log file on the
> strongSwan VPN server it is difficult to diagnose your problem.
> 
> Best regards
> 
> Andreas Steffen
> 
> On 19.01.2015 04:09, Steffen Plotner wrote:
> > Hi,
> > After several days of not finding another path, I am trying to see
> what
> > I have done wrong in terms of the eap-radius integration. It appears
> > Strongswan is producing an Access-Request packet with the following
> > attributes: User-name, NAS-Port-Type, Service-Type, NAS-Port,
> > NAS-Port-Id, NAS-IP-Address, Called-Station-ID, Calling-Station-Id,
> > EAP-Message (last segment), NAS-Identifier, Message-Authenticator.
> > One of the attributes for doing MS-CHAP-v2 is not in it. I thought
> that
> > those might be vendor specific attributes 26:311 (I have experimented
> > with the forwarding of attributes ike_to_radius = 26:311 but did not
> > change anything).
> > I have configured the eap-radius servers in strongswan to point first
> to
> > IAS 2003 and it fails, as it expects PEAP and cannot handle
> > EAP-MS-Chap-v2. I have then pointed it to a Windows 2008 NPS server
> and
> > it fails, with Access-Reject - looking at the packets I don't see the
> > MS-CHAP-v2 Challenge attribute coming through. [Short version: the
> > password is not coming through in the Access-Request when eap-radius
> is
> > involved]
> > The configuration is under IKEv2 type, I was able to bypass the radius
> > stuff by simply doing a righauth=eap-mschapv2 using a local secrets
> > file. I wanted to switch to radius based authentication and
> > authorization. The client is windows 7 - I have tried both EAP-MS-
> CHAPv2
> > and PEAP-MS-CHAPv2 with the eap-radius configuration and it did not
> work.
> > We are using strongswan-5.2.2 on centos6. I have looked at the
> examples
> > and just cannot get the password to come through, only the attributes
> I
> > initially listed.
> > Thank you for your help.
> > Steffen
> >
> ________________________________________________________________________
> _______________________
> > Steffen Plotner                            Amherst College
> > Tel (413) 542-2348
> > Systems/Network Administrator/Programmer   PO BOX 5000
> > Fax (413) 542-2626
> > Systems & Networking                       Amherst, MA 01002-5000
> > swplotner at amherst.edu
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
> 
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==



More information about the Users mailing list