[strongSwan] eap-radius integration

Steffen Plotner swplotner at amherst.edu
Mon Jan 19 17:38:13 CET 2015 

Hi,

Well, I figured it out - on the NPS Windows 2008 server, the "Network Policy" "Network connection method" must be specified of type "Unspecified" to support the radius Access-Challenge expected response for strongswan to continue the conversation and eventually be authenticed.

I apologize for not realizing this. There are a lot of knobs/knöpfe one can change...

Steffen

_______________________________________________________________________________________________
Steffen Plotner                            Amherst College            Tel (413) 542-2348
Systems/Network Administrator/Programmer   PO BOX 5000                Fax (413) 542-2626
Systems & Networking                       Amherst, MA 01002-5000     swplotner at amherst.edu


> -----Original Message-----
> From: Steffen Plotner
> Sent: Monday, January 19, 2015 10:31 AM
> To: 'Andreas Steffen'; 'users at lists.strongswan.org'
> Subject: RE: [strongSwan] eap-radius integration
> 
> Hi Andreas,
> 
> Thank you for your reply. Below is the config file
> 
> charon {
> 	load_modular = yes
> 
> 	plugins {
> 		include strongswan.d/charon/*.conf
> 
> 		eap-radius {
> 			station_id_with_port = true
> 
> 			servers {
> 				server-a {
> 					address = 172.17.203.28
> 					secret = zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
> 					nas_identifier = nasid_vpngate
> 					sockets = 5
> 				}
> 			}
> 		}
> 	}
> }
> 
> include strongswan.d/*.conf
> 
> Windows 7 is doing EAP-MS-CHAP-v2 (not PEAP - just plain EAP). The conn
> section looks like this:
> 
> conn vpnfw-ikev2
> 	auto=add
> 	keyexchange=ikev2
> 	type=tunnel
> 
> 	left=148.85.1.171
> 	leftauth=pubkey
> 	leftcert=vpnfirewall-ng.pem
> 	leftsubnet=172.17.0.0/16
> 
> 	right=%any
> 	rightsourceip=172.17.6.0/24
> 	rightauth=eap-radius
> 	eap_identity=%identity
> 
> The resulting log looks like this:
> Jan 19 10:20:44 vpngate1 charon: 13[ENC] generating IKE_AUTH response 1
> [ IDr CERT CERT CERT AUTH EAP/REQ/ID ]
> Jan 19 10:20:44 vpngate1 charon: 13[NET] sending packet: from
> 148.85.1.171[4500] to 75.145.249.254[4500] (4900 bytes)
> Jan 19 10:20:44 vpngate1 charon: 02[NET] sending packet: from
> 148.85.1.171[4500] to 75.145.249.254[4500]
> Jan 19 10:20:44 vpngate1 charon: 15[NET] received packet: from
> 75.145.249.254[4500] to 148.85.1.171[4500]
> Jan 19 10:20:44 vpngate1 charon: 15[NET] waiting for data on sockets
> Jan 19 10:20:44 vpngate1 charon: 04[NET] received packet: from
> 75.145.249.254[4500] to 148.85.1.171[4500] (76 bytes)
> Jan 19 10:20:44 vpngate1 charon: 04[ENC] parsed IKE_AUTH request 2 [
> EAP/RES/ID ]
> Jan 19 10:20:44 vpngate1 charon: 04[IKE] received EAP identity
> 'swplotner'
> Jan 19 10:20:44 vpngate1 charon: 04[CFG] sending RADIUS Access-Request
> to server 'server-a'
> Jan 19 10:20:45 vpngate1 charon: 04[CFG] received RADIUS Access-Reject
> from server 'server-a'
> Jan 19 10:20:45 vpngate1 charon: 04[IKE] RADIUS authentication of
> 'swplotner' failed
> Jan 19 10:20:45 vpngate1 charon: 04[IKE] initiating EAP_RADIUS method
> failed
> Jan 19 10:20:45 vpngate1 charon: 04[ENC] generating IKE_AUTH response 2
> [ EAP/FAIL ]
> Jan 19 10:20:45 vpngate1 charon: 04[NET] sending packet: from
> 148.85.1.171[4500] to 75.145.249.254[4500] (68 bytes)
> Jan 19 10:20:45 vpngate1 charon: 02[NET] sending packet: from
> 148.85.1.171[4500] to 75.145.249.254[4500]
> Jan 19 10:20:45 vpngate1 charon: 04[IKE] IKE_SA vpnfw-ikev2[1] state
> change: CONNECTING => DESTROYING
> 
> So, the configured cert appears to work, it receives the identity of
> 'swplotner', the request to the radius server does not contain the
> MSCHAP components.
> 
> No.     Time        Source                Destination           Protocol
> Info
>       1 0.000000    172.17.1.165          172.17.203.28         RADIUS
> Access-Request(1) (id=206, l=159)
> 
> Frame 1 (201 bytes on wire, 201 bytes captured)
> Ethernet II, Src: Vmware_a5:00:db (00:50:56:a5:00:db), Dst:
> Vmware_a5:00:74 (00:50:56:a5:00:74)
> Internet Protocol, Src: 172.17.1.165 (172.17.1.165), Dst: 172.17.203.28
> (172.17.203.28)
> User Datagram Protocol, Src Port: 33610 (33610), Dst Port: radius (1812)
> Radius Protocol
>     Code: Access-Request (1)
>     Packet identifier: 0xce (206)
>     Length: 159
>     Authenticator: E5C63C2BBF627BB5F525603BC0698AE1
>     [The response to this request is in frame 2]
>     Attribute Value Pairs
>         AVP: l=11  t=User-Name(1): swplotner
>         AVP: l=6  t=NAS-Port-Type(61): Virtual(5)
>         AVP: l=6  t=Service-Type(6): Framed-User(2)
>         AVP: l=6  t=NAS-Port(5): 1
>         AVP: l=13  t=NAS-Port-Id(87): vpnfw-ikev2
>         AVP: l=6  t=NAS-IP-Address(4): 148.85.1.171
>         AVP: l=20  t=Called-Station-Id(30): 148.85.1.171[4500]
>         AVP: l=22  t=Calling-Station-Id(31): 75.145.249.254[4500]
>         AVP: l=16  t=EAP-Message(79) Last Segment[1]
>         AVP: l=15  t=NAS-Identifier(32): nasid_vpngate
>         AVP: l=18  t=Message-Authenticator(80):
> 6AFE310B6AB76524F1E2FDE5025BF5A2
> 
> No.     Time        Source                Destination           Protocol
> Info
>       2 0.530112    172.17.203.28         172.17.1.165          RADIUS
> Access-Reject(3) (id=206, l=44)
> 
> Frame 2 (86 bytes on wire, 86 bytes captured)
> Ethernet II, Src: Vmware_a5:00:74 (00:50:56:a5:00:74), Dst:
> Vmware_a5:00:db (00:50:56:a5:00:db)
> Internet Protocol, Src: 172.17.203.28 (172.17.203.28), Dst: 172.17.1.165
> (172.17.1.165)
> User Datagram Protocol, Src Port: radius (1812), Dst Port: 33610 (33610)
> Radius Protocol
>     Code: Access-Reject (3)
>     Packet identifier: 0xce (206)
>     Length: 44
>     Authenticator: 6AF4DD3698491B9A474B14A44B9DE8F8
>     [This is a response to a request in frame 1]
>     [Time from request: 0.530112000 seconds]
>     Attribute Value Pairs
>         AVP: l=6  t=EAP-Message(79) Last Segment[1]
>         AVP: l=18  t=Message-Authenticator(80):
> 06969B5F3315A5B9A695A2A712F30810
> 
> Steffen
> 
> 
> ________________________________________________________________________
> _______________________
> Steffen Plotner                            Amherst College
> Tel (413) 542-2348
> Systems/Network Administrator/Programmer   PO BOX 5000
> Fax (413) 542-2626
> Systems & Networking                       Amherst, MA 01002-5000
> swplotner at amherst.edu
> 
> 
> > -----Original Message-----
> > From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> > Sent: Sunday, January 18, 2015 11:12 PM
> > To: Steffen Plotner; 'users at lists.strongswan.org'
> > Subject: Re: [strongSwan] eap-radius integration
> >
> > Hi Steffen,
> >
> > without the actual ipsec.conf file and if possible a log file on the
> > strongSwan VPN server it is difficult to diagnose your problem.
> >
> > Best regards
> >
> > Andreas Steffen
> >
> > On 19.01.2015 04:09, Steffen Plotner wrote:
> > > Hi,
> > > After several days of not finding another path, I am trying to see
> > what
> > > I have done wrong in terms of the eap-radius integration. It appears
> > > Strongswan is producing an Access-Request packet with the following
> > > attributes: User-name, NAS-Port-Type, Service-Type, NAS-Port,
> > > NAS-Port-Id, NAS-IP-Address, Called-Station-ID, Calling-Station-Id,
> > > EAP-Message (last segment), NAS-Identifier, Message-Authenticator.
> > > One of the attributes for doing MS-CHAP-v2 is not in it. I thought
> > that
> > > those might be vendor specific attributes 26:311 (I have
> experimented
> > > with the forwarding of attributes ike_to_radius = 26:311 but did not
> > > change anything).
> > > I have configured the eap-radius servers in strongswan to point
> first
> > to
> > > IAS 2003 and it fails, as it expects PEAP and cannot handle
> > > EAP-MS-Chap-v2. I have then pointed it to a Windows 2008 NPS server
> > and
> > > it fails, with Access-Reject - looking at the packets I don't see
> the
> > > MS-CHAP-v2 Challenge attribute coming through. [Short version: the
> > > password is not coming through in the Access-Request when eap-radius
> > is
> > > involved]
> > > The configuration is under IKEv2 type, I was able to bypass the
> radius
> > > stuff by simply doing a righauth=eap-mschapv2 using a local secrets
> > > file. I wanted to switch to radius based authentication and
> > > authorization. The client is windows 7 - I have tried both EAP-MS-
> > CHAPv2
> > > and PEAP-MS-CHAPv2 with the eap-radius configuration and it did not
> > work.
> > > We are using strongswan-5.2.2 on centos6. I have looked at the
> > examples
> > > and just cannot get the password to come through, only the
> attributes
> > I
> > > initially listed.
> > > Thank you for your help.
> > > Steffen
> > >
> >
> ________________________________________________________________________
> > _______________________
> > > Steffen Plotner                            Amherst College
> > > Tel (413) 542-2348
> > > Systems/Network Administrator/Programmer   PO BOX 5000
> > > Fax (413) 542-2626
> > > Systems & Networking                       Amherst, MA 01002-5000
> > > swplotner at amherst.edu
> > >
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org
> > > https://lists.strongswan.org/mailman/listinfo/users
> > >
> >
> > --
> > ======================================================================
> > Andreas Steffen                         andreas.steffen at strongswan.org
> > strongSwan - the Open Source VPN Solution!          www.strongswan.org
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[ITA-HSR]==

More information about the Users mailing list