[strongSwan] eap-radius integration
Steffen Plotner
swplotner at amherst.edu
Mon Jan 19 16:30:59 CET 2015
Hi Andreas,
Thank you for your reply. Below is the config file
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
eap-radius {
station_id_with_port = true
servers {
server-a {
address = 172.17.203.28
secret = zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
nas_identifier = nasid_vpngate
sockets = 5
}
}
}
}
}
include strongswan.d/*.conf
Windows 7 is doing EAP-MS-CHAP-v2 (not PEAP - just plain EAP). The conn section looks like this:
conn vpnfw-ikev2
auto=add
keyexchange=ikev2
type=tunnel
left=148.85.1.171
leftauth=pubkey
leftcert=vpnfirewall-ng.pem
leftsubnet=172.17.0.0/16
right=%any
rightsourceip=172.17.6.0/24
rightauth=eap-radius
eap_identity=%identity
The resulting log looks like this:
Jan 19 10:20:44 vpngate1 charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/ID ]
Jan 19 10:20:44 vpngate1 charon: 13[NET] sending packet: from 148.85.1.171[4500] to 75.145.249.254[4500] (4900 bytes)
Jan 19 10:20:44 vpngate1 charon: 02[NET] sending packet: from 148.85.1.171[4500] to 75.145.249.254[4500]
Jan 19 10:20:44 vpngate1 charon: 15[NET] received packet: from 75.145.249.254[4500] to 148.85.1.171[4500]
Jan 19 10:20:44 vpngate1 charon: 15[NET] waiting for data on sockets
Jan 19 10:20:44 vpngate1 charon: 04[NET] received packet: from 75.145.249.254[4500] to 148.85.1.171[4500] (76 bytes)
Jan 19 10:20:44 vpngate1 charon: 04[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jan 19 10:20:44 vpngate1 charon: 04[IKE] received EAP identity 'swplotner'
Jan 19 10:20:44 vpngate1 charon: 04[CFG] sending RADIUS Access-Request to server 'server-a'
Jan 19 10:20:45 vpngate1 charon: 04[CFG] received RADIUS Access-Reject from server 'server-a'
Jan 19 10:20:45 vpngate1 charon: 04[IKE] RADIUS authentication of 'swplotner' failed
Jan 19 10:20:45 vpngate1 charon: 04[IKE] initiating EAP_RADIUS method failed
Jan 19 10:20:45 vpngate1 charon: 04[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
Jan 19 10:20:45 vpngate1 charon: 04[NET] sending packet: from 148.85.1.171[4500] to 75.145.249.254[4500] (68 bytes)
Jan 19 10:20:45 vpngate1 charon: 02[NET] sending packet: from 148.85.1.171[4500] to 75.145.249.254[4500]
Jan 19 10:20:45 vpngate1 charon: 04[IKE] IKE_SA vpnfw-ikev2[1] state change: CONNECTING => DESTROYING
So, the configured cert appears to work, it receives the identity of 'swplotner', the request to the radius server does not contain the MSCHAP components.
No. Time Source Destination Protocol Info
1 0.000000 172.17.1.165 172.17.203.28 RADIUS Access-Request(1) (id=206, l=159)
Frame 1 (201 bytes on wire, 201 bytes captured)
Ethernet II, Src: Vmware_a5:00:db (00:50:56:a5:00:db), Dst: Vmware_a5:00:74 (00:50:56:a5:00:74)
Internet Protocol, Src: 172.17.1.165 (172.17.1.165), Dst: 172.17.203.28 (172.17.203.28)
User Datagram Protocol, Src Port: 33610 (33610), Dst Port: radius (1812)
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0xce (206)
Length: 159
Authenticator: E5C63C2BBF627BB5F525603BC0698AE1
[The response to this request is in frame 2]
Attribute Value Pairs
AVP: l=11 t=User-Name(1): swplotner
AVP: l=6 t=NAS-Port-Type(61): Virtual(5)
AVP: l=6 t=Service-Type(6): Framed-User(2)
AVP: l=6 t=NAS-Port(5): 1
AVP: l=13 t=NAS-Port-Id(87): vpnfw-ikev2
AVP: l=6 t=NAS-IP-Address(4): 148.85.1.171
AVP: l=20 t=Called-Station-Id(30): 148.85.1.171[4500]
AVP: l=22 t=Calling-Station-Id(31): 75.145.249.254[4500]
AVP: l=16 t=EAP-Message(79) Last Segment[1]
AVP: l=15 t=NAS-Identifier(32): nasid_vpngate
AVP: l=18 t=Message-Authenticator(80): 6AFE310B6AB76524F1E2FDE5025BF5A2
No. Time Source Destination Protocol Info
2 0.530112 172.17.203.28 172.17.1.165 RADIUS Access-Reject(3) (id=206, l=44)
Frame 2 (86 bytes on wire, 86 bytes captured)
Ethernet II, Src: Vmware_a5:00:74 (00:50:56:a5:00:74), Dst: Vmware_a5:00:db (00:50:56:a5:00:db)
Internet Protocol, Src: 172.17.203.28 (172.17.203.28), Dst: 172.17.1.165 (172.17.1.165)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 33610 (33610)
Radius Protocol
Code: Access-Reject (3)
Packet identifier: 0xce (206)
Length: 44
Authenticator: 6AF4DD3698491B9A474B14A44B9DE8F8
[This is a response to a request in frame 1]
[Time from request: 0.530112000 seconds]
Attribute Value Pairs
AVP: l=6 t=EAP-Message(79) Last Segment[1]
AVP: l=18 t=Message-Authenticator(80): 06969B5F3315A5B9A695A2A712F30810
Steffen
_______________________________________________________________________________________________
Steffen Plotner Amherst College Tel (413) 542-2348
Systems/Network Administrator/Programmer PO BOX 5000 Fax (413) 542-2626
Systems & Networking Amherst, MA 01002-5000 swplotner at amherst.edu
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Sunday, January 18, 2015 11:12 PM
> To: Steffen Plotner; 'users at lists.strongswan.org'
> Subject: Re: [strongSwan] eap-radius integration
>
> Hi Steffen,
>
> without the actual ipsec.conf file and if possible a log file on the
> strongSwan VPN server it is difficult to diagnose your problem.
>
> Best regards
>
> Andreas Steffen
>
> On 19.01.2015 04:09, Steffen Plotner wrote:
> > Hi,
> > After several days of not finding another path, I am trying to see
> what
> > I have done wrong in terms of the eap-radius integration. It appears
> > Strongswan is producing an Access-Request packet with the following
> > attributes: User-name, NAS-Port-Type, Service-Type, NAS-Port,
> > NAS-Port-Id, NAS-IP-Address, Called-Station-ID, Calling-Station-Id,
> > EAP-Message (last segment), NAS-Identifier, Message-Authenticator.
> > One of the attributes for doing MS-CHAP-v2 is not in it. I thought
> that
> > those might be vendor specific attributes 26:311 (I have experimented
> > with the forwarding of attributes ike_to_radius = 26:311 but did not
> > change anything).
> > I have configured the eap-radius servers in strongswan to point first
> to
> > IAS 2003 and it fails, as it expects PEAP and cannot handle
> > EAP-MS-Chap-v2. I have then pointed it to a Windows 2008 NPS server
> and
> > it fails, with Access-Reject - looking at the packets I don't see the
> > MS-CHAP-v2 Challenge attribute coming through. [Short version: the
> > password is not coming through in the Access-Request when eap-radius
> is
> > involved]
> > The configuration is under IKEv2 type, I was able to bypass the radius
> > stuff by simply doing a righauth=eap-mschapv2 using a local secrets
> > file. I wanted to switch to radius based authentication and
> > authorization. The client is windows 7 - I have tried both EAP-MS-
> CHAPv2
> > and PEAP-MS-CHAPv2 with the eap-radius configuration and it did not
> work.
> > We are using strongswan-5.2.2 on centos6. I have looked at the
> examples
> > and just cannot get the password to come through, only the attributes
> I
> > initially listed.
> > Thank you for your help.
> > Steffen
> >
> ________________________________________________________________________
> _______________________
> > Steffen Plotner Amherst College
> > Tel (413) 542-2348
> > Systems/Network Administrator/Programmer PO BOX 5000
> > Fax (413) 542-2626
> > Systems & Networking Amherst, MA 01002-5000
> > swplotner at amherst.edu
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
More information about the Users
mailing list