Project

General

Profile

Issue #3124

Strongswan 5.8.0 eap-radius Android client issues

Added by Leon K about 1 month ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.8.0
Resolution:
No change required

Description

Hi,

I have installed 5.8.0 from the source with the following configuration:

./configure --prefix=/usr --sysconfdir=/etc --enable-systemd --enable-swanctl --enable-openssl --enable-eap-mschapv2 --enable-eap-md5 --enable-eap-dynamic --enable-eap-radius --enable-eap-tls --enable-eap-ttls --enable-xauth-generic --enable-xauth-eap --enable-whitelist

and successfully connected from Android client to the Strongswan server by using ikev2 eap-dynamic and ikev2 pubkey, but eap-radius doesn't work for me.

Logs and configuration files attached.

I do not know how to interpret the following log records:

log {group=CFG level=1 thread=15 ikesa-name=roadwarr-ikev2-eap-radius ikesa-uniqueid=7 msg=selected peer config 'roadwarr-ikev2-eap-radius'}
log {group=IKE level=1 thread=15 ikesa-name=roadwarr-ikev2-eap-radius ikesa-uniqueid=7 msg=EAP-Identity request configured, but not supported}
log {group=IKE level=1 thread=15 ikesa-name=roadwarr-ikev2-eap-radius ikesa-uniqueid=7 msg=loading EAP_RADIUS method failed}

I am using the same Android client configuration that I used for eap-dynamic:
IKEv2 EAP (Username/Password)

The server even doesn't try to connect to the RADIUS server (freeRADIUS in my case).

pki --help:

loaded plugins: aes des rc2 sha2 sha1 md5 mgf1 random x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 dnskey sshkey pem openssl gmp curve25519 hmac

charon.list (564 Bytes) charon.list charon plugins list Leon K, 17.07.2019 21:15
charon-android.log (6.98 KB) charon-android.log Android app log Leon K, 17.07.2019 21:15
strongswan.conf (797 Bytes) strongswan.conf Leon K, 17.07.2019 21:15
swanctl.conf (1.26 KB) swanctl.conf Leon K, 17.07.2019 21:15
swanctl-log-raw (8.76 KB) swanctl-log-raw swanctl --log --raw Leon K, 17.07.2019 21:15
swanctl-log-raw.log (8.76 KB) swanctl-log-raw.log Leon K, 17.07.2019 22:06
swanctl-log-raw.log (7.85 KB) swanctl-log-raw.log Leon K, 20.07.2019 03:50
charon_debug.log (37.5 KB) charon_debug.log Leon K, 20.07.2019 03:55

History

#2 Updated by Noel Kuntze about 1 month ago

  • Category set to configuration
  • Status changed from New to Feedback

I have installed 5.8.0 from the source with the following configuration:

./configure --prefix=/usr --sysconfdir=/etc --enable-systemd --enable-swanctl --enable-openssl --enable-eap-> mschapv2 --enable-eap-md5 --enable-eap-dynamic --enable-eap-radius --enable-eap-tls --enable-eap-ttls --enable-xauth-generic --enable-xauth-eap --enable-whitelist

That's bad. Like really, really bad. Now you mixed packaging system managed files and files installed from source. That will get you in trouble if you ever have conflicts between them. You better use your distro's packaging system or install into /usr/local.

Regarding the parameters for ./configure, use what already works. For example, take what is used for the Arch Linux package1. That will help you with all such problems like you're already having.

log {group=IKE level=1 thread=15 ikesa-name=roadwarr-ikev2-eap-radius ikesa-uniqueid=7 msg=EAP-Identity request configured, but not supported}

You need the eap-identity plugin.

swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon-systemd {
load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl > kernel-netlink socket-default updown vici
}

Do not use a custom load setting unless you really know what you are doing. So remove those settings.

Kind regards

Noel

#3 Updated by Leon K about 1 month ago

Noel Kuntze wrote:

I have installed 5.8.0 from the source with the following configuration:

./configure --prefix=/usr --sysconfdir=/etc --enable-systemd --enable-swanctl --enable-openssl --enable-eap-> mschapv2 --enable-eap-md5 --enable-eap-dynamic --enable-eap-radius --enable-eap-tls --enable-eap-ttls --enable-xauth-generic --enable-xauth-eap --enable-whitelist

That's bad. Like really, really bad. Now you mixed packaging system managed files and files installed from source. That will get you in trouble if you ever have conflicts between them. You better use your distro's packaging system or install into /usr/local.

Yes, I have found that strongswan-pki was still there. So I removed it and there is no any packaged strongswan installed on this system.
Reinstalled 5.8.0 from source.

Regarding the parameters for ./configure, use what already works. For example, take what is used for the Arch Linux package1. That will help you with all such problems like you're already having.

log {group=IKE level=1 thread=15 ikesa-name=roadwarr-ikev2-eap-radius ikesa-uniqueid=7 msg=EAP-Identity request configured, but not supported}

You need the eap-identity plugin.

Added eap-identity.

swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon-systemd {
load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl > kernel-netlink socket-default updown vici
}

Do not use a custom load setting unless you really know what you are doing. So remove those settings.

I have found it in some of the usable configurations on Strongswan website and thought that is safe to use. But anyway, I have removed them.

It is still not working, though.

Is my swanctl.conf correct to work with Radius?

Thank you.

#4 Updated by Noel Kuntze about 1 month ago

I have found it in some of the usable configurations on Strongswan website and thought that is safe to use. But anyway, I have removed them.

Those are test scenarios and they are marked as such.

It is still not working, though.

Well, then there are more problems.

Is my swanctl.conf correct to work with Radius?

Looks okay.

#5 Updated by Leon K about 1 month ago

Well, then there are more problems.

Any recommendations?

I am still getting this:

log {group=IKE level=1 thread=16 ikesa-name=roadwarr-ikev2-eap-radius ikesa-uniqueid=3 msg=received EAP identity 'androidLk'}
log {group=IKE level=1 thread=16 ikesa-name=roadwarr-ikev2-eap-radius ikesa-uniqueid=3 msg=loading EAP_RADIUS method failed}
log {group=ENC level=1 thread=16 ikesa-name=roadwarr-ikev2-eap-radius ikesa-uniqueid=3 msg=generating IKE_AUTH response 2 [ EAP/FAIL ]}

#6 Updated by Noel Kuntze about 1 month ago

Please provide a log from the daemon start to the problem. Use the file logger configuration from the HelpRequests page.

#7 Updated by Leon K about 1 month ago

Noel Kuntze wrote:

Please provide a log from the daemon start to the problem. Use the file logger configuration from the HelpRequests page.

I am on 5.8.0 strongswan/vici(from source).
Once I have submitted logs for 5.6.4 (ubuntu package) stroke.

But for strongswan/vici logger is different.

Do I need to add the following lines into strongswan.conf

charon-systemd {
  journal {
    default = 1
    ike = 2
    knl = 3
    # ...
  }
}

And it logs to the systemd journal
I have added the following lines to strongswan.conf:

    filelog {
            # since 5.7.0 the path to the log file has to be specified in a separate setting if it contains dots,
            # use an arbitrary name without dots for the section instead of the one given here
            charon-debug-log {
                    # this setting is required with 5.7.0 and newer if the path contains dots
                    path = /var/log/charon_debug.log

                    time_format = %a, %Y-%m-%d %R
                    default = 2
                    mgr = 0
                    net = 1
                    enc = 1
                    asn = 1
                    job = 1
                    ike_name = yes
                    append = no
                    flush_line = yes
            }
    }

Is it not enough to have swanctl --log --raw to troubleshoot my issue?

Where is aa-complain <path to charon/charon-systemd binary>
for 5.8.0 installed from source? Do I need to adjust AppArmor for debugging?

Could you please clarify?

I have attached swanctl --log --raw output, but let me know if you need anything else.

Thanks.

#8 Updated by Leon K about 1 month ago

Oh, I forgot to attach charon_debug.log

#9 Updated by Noel Kuntze about 1 month ago

Leon K wrote:

Noel Kuntze wrote:

Please provide a log from the daemon start to the problem. Use the file logger configuration from the HelpRequests page.

I am on 5.8.0 strongswan/vici(from source).
Once I have submitted logs for 5.6.4 (ubuntu package) stroke.

But for strongswan/vici logger is different.

Do I need to add the following lines into strongswan.conf

[...]

And it logs to the systemd journal
I have added the following lines to strongswan.conf:

[...]

Is it not enough to have swanctl --log --raw to troubleshoot my issue?

No, because that doesn't show us what happends when the daemon starts. That when it would complain about wrong syntax and other things.

[...] for 5.8.0 installed from source? Do I need to adjust AppArmor for debugging?

Could you please clarify?

That's an apparmor related utility that is not shipped by strongSwan. If you do not use apparmor, you do not need it. Otherwise, it's probably preinstalled or in an apparmor related utility package you can install using apt.

I have attached swanctl --log --raw output, but let me know if you need anything else.

Thanks.

That file got me at least one clue:

Fri, 2019-07-19 21:43 10[CFG] loaded 0 RADIUS server configurations
Fri, 2019-07-19 21:43 10[LIB] reloaded configuration of 'eap-radius' plugin

Looks like no radius configs are actually loaded. Try putting them in strongswan.d/charon/eap-radius.conf.

Kind regards

Noel

#10 Updated by Leon K about 1 month ago

Looks like no radius configs are actually loaded. Try putting them in strongswan.d/charon/eap-radius.conf.

It didn't help.

Thank you.

#11 Updated by Noel Kuntze about 1 month ago

The log you attached does not show the daemon's start. Please attach a log that does.

#12 Updated by Leon K about 1 month ago

I am attaching a log with daemon's start. But I have fixed this problem.

Yes, strongswan is reading eap-radius.conf only and ignores strongswan.conf at least eap-radius plugin configuration.

But the problem in this case was with not recognizing by freeRADIUS a client with IP address of LXD bridge (freeRADIUS is installed in LXD/LXC container). freeRADIUS sees a host (10.10.5.15) as a 10.0.3.1 (LXD/LXC bridge). So I have changed IP from 10.10.5.15 to 10.0.3.1 in 'nas' table (freeRADIUS database) and it works now. But there was another issue with some Android (Galaxy S9) glitch, it all of a sudden stopped recognize Strongswan CA certificate as an authority signed strongswan server's certificate.
That is why I didn't see initially (even after moving eap-radius plugin configuration to eap-radius.conf)those freeRADIUS error messages about an unknown client (10.0.3.1).
It works, though it is not quite clear why strongswan.conf' plugins part has been ignored.

Thank you, Noel, for your help.

#13 Updated by Noel Kuntze about 1 month ago

You're welcome.

#14 Updated by Noel Kuntze about 1 month ago

  • Status changed from Feedback to Closed
  • Resolution set to No change required

Also available in: Atom PDF