[strongSwan] verification of AUTH payload without EAP MSK failed
Christian Salway
christian.salway at naimuri.com
Wed Jul 11 12:59:39 CEST 2018
Hi Tobias,
I found that paragraph just after writing my last email :)
The RADIUS Proxy is https://duo.com/docs/radius <https://duo.com/docs/radius> who have written back to me asking for logs so will see what they say.
Kind regards,
Christian Salway
IT Consultant - Naimuri
T: +44 7463 331432
E: christian.salway at naimuri.com
A: Naimuri Ltd, Capstan House, Manchester M50 2UW
> On 11 Jul 2018, at 10:54, Tobias Brunner <tobias at strongswan.org> wrote:
>
> Hi Christian,
>
>> Why would it fail after getting an approved access from RADIUS
>>
>> ...
>> 12[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established
>
> If the EAP method is key-generating, which EAP-MSCHAPv2 is, the
> authentication will not succeed without an MSK, which the RADIUS server
> should provide in MS-MPPE-Send|Recv-Key attributes in the Access-Accept
> message (see e.g. [1] for a note regarding older FreeRADIUS versions and
> EAP-MSCHAPv2).
>
> Regards,
> Tobias
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/EAPRADIUS#RADIUS-servers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180711/f866a9b4/attachment.html>
More information about the Users
mailing list