[strongSwan] verification of AUTH payload without EAP MSK failed
Tobias Brunner
tobias at strongswan.org
Wed Jul 11 11:54:56 CEST 2018
Hi Christian,
> Why would it fail after getting an approved access from RADIUS
>
> ...
> 12[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established
If the EAP method is key-generating, which EAP-MSCHAPv2 is, the
authentication will not succeed without an MSK, which the RADIUS server
should provide in MS-MPPE-Send|Recv-Key attributes in the Access-Accept
message (see e.g. [1] for a note regarding older FreeRADIUS versions and
EAP-MSCHAPv2).
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/EAPRADIUS#RADIUS-servers
More information about the Users
mailing list