[strongSwan] IKEv2 with eap-radius does not work.

Mon Mar 27 11:55:47 CEST 2017

Hi,

> Thank you for your kind answer.
>  
> Yes, I think so,  
> Limit is not the cause.
>  
> I have changed   “max_attributes” to 300 at radiusd.conf.
> No difference.
>  
> I also disabled proxy request.
>  
> #proxy_requests  = yes
> #$INCLUDE proxy.conf
>  
> (I do not know what the proxy_requests does)
>  
> But Error message is same.
>  
> This is /var/log/radius.log
>  
> Mon Mar 27 18:05:29 2017 : Warning:
> [/etc/freeradius/mods-config/attr_filter/access_r
> eject]:11 Check item "FreeRADIUS-Response-Delay-USec"   found in filter
> list for real
> m "DEFAULT".
> Mon Mar 27 18:05:29 2017 : Info: Loaded virtual server <default>
> Mon Mar 27 18:05:29 2017 : Warning: Ignoring "sql" (see
> raddb/mods-available/README.r
> st)
> Mon Mar 27 18:05:29 2017 : Warning: Ignoring "ldap" (see
> raddb/mods-available/README.
> rst)
> Mon Mar 27 18:05:29 2017 : Info:  # Skipping contents of 'if' as it is
> always 'false'
> -- /etc/freeradius/sites-enabled/inner-tunnel:330
> Mon Mar 27 18:05:29 2017 : Info: Loaded virtual server inner-tunnel
> Mon Mar 27 18:05:29 2017 : Info: Loaded virtual server default
> Mon Mar 27 18:05:29 2017 : Info: Ready to process requests
> Mon Mar 27 18:05:34 2017 : Info: Dropping packet without response
> because of error: P
> ossible DoS attack from host 127.0.0.1: Too many attributes in request
> (received 301,
> max 300 are allowed).
> ...

You still have a loop somewhere.  Attributes get added and the message
replayed until the limit is exceeded (now just 300 instead of 200).  Try
running FreeRADIUS in debug mode (-X). maybe the log will tell you why
it does resend the message to itself.

> I imagine there are some misconfiguration.
>  
> But I can not know which configuration is wrong, charon or radius?

Most likely FreeRADIUS.

> This is my radiusd.conf
> (I have not changed  except max_attributes and proxy_requests )
>  
> prefix = /usr
> exec_prefix = /usr
> sysconfdir = /etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = /var/log/freeradius
> raddbdir = /etc/freeradius
> radacctdir = ${logdir}/radacct
> name = freeradius
> confdir = ${raddbdir}
> modconfdir = ${confdir}/mods-config
> certdir = ${confdir}/certs
> cadir   = ${confdir}/certs
> run_dir = ${localstatedir}/run/${name}
> db_dir = ${raddbdir}
> libdir = /usr/lib/freeradius
> pidfile = ${run_dir}/${name}.pid
> correct_escapes = true
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 16384
> hostname_lookups = no
> log {
>         destination = files
>         colourise = yes
>         file = ${logdir}/radius.log
>         syslog_facility = daemon
>         stripped_names = no
>         auth = no
>         auth_badpass = no
>         auth_goodpass = no
>         msg_denied = "You are already logged in - access denied"
> }
> checkrad = ${sbindir}/checkrad
> security {
>         user = freerad
>         group = freerad
>         allow_core_dumps = no
>         max_attributes = 300
>         reject_delay = 1
>         status_server = yes
> }
> $INCLUDE clients.conf
> thread pool {
>         start_servers = 5
>         max_servers = 32
>         min_spare_servers = 3
>         max_spare_servers = 10
>         max_requests_per_server = 0
>         auto_limit_acct = no
> }
> modules {
>         $INCLUDE mods-enabled/
> }
> instantiate {
> }
> policy {
>         $INCLUDE policy.d/
> }
> $INCLUDE sites-enabled/
>  
>  
> PS :
> It seems that I have  read that eap-radius + mschapv2 is not supported
> on freeradius.
> Is that so?

That depends on the FreeRADIUS configuration (sites/virtual servers).

Regards,
Tobias