Project

General

Profile

Issue #3318

problem with radius

Added by zhenxing huang about 1 month ago. Updated 25 days ago.

Status:
Feedback
Priority:
Low
Assignee:
-
Category:
configuration
Affected version:
5.8.2
Resolution:

Description

Hello.
I am change from ipsec to swanctl
The roadwarrior dial in it say that Access-Reject from RADIUS server ? it is working well when we use ipsec
strongswan.conf

charon {
        multiple_authentication=yes
        dos_protection=yes
        plugins {
                eap-radius {
        server=172.27.7.26
                secret=abcd
        nas_identifier=efgh
                        }
                }
include strongswan.d/charon/*.conf
        }

swanctl {
  load = pem pkcs1 x509 revocation constraints pubkey openssl random
}

charon-systemd {
  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown

  plugins {
    eap-radius {
        server=172.27.7.26
        secret=abcd
        nas_identifier=efgh
    }
  }
}

swanctl.conf
  radius-1{
        local_addrs=m.domain.cn
        remote_addrs=%any
        version=2
        proposals =.......
        pools=eap_pool
        local {
        certs=m.cer
        id=m.domain.cn
                }
        remote {
        auth=eap-radius
        id=%any
                }
        children {
         eap-1{
            local_ts =172.27.7.0/24
            updown=/usr/local/libexec/ipsec/_updown iptables
            rekey_time=5400
            esp_proposals =aes256-sha256
                }
        }
        }
pools{
        eap_pool{
                addrs=192.168.10.0/27
        }
}

log:

Jan 22 15:43:27 m charon[2905]: 11[NET] received packet: from 223.73.b.b[12616] to 59.37.a.a[500] (624 bytes)
Jan 22 15:43:27 m charon[2905]: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jan 22 15:43:27 m charon[2905]: 11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jan 22 15:43:27 m charon[2905]: 11[IKE] received MS-Negotiation Discovery Capable vendor ID
Jan 22 15:43:27 m charon[2905]: 11[IKE] received Vid-Initial-Contact vendor ID
Jan 22 15:43:27 m charon[2905]: 11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jan 22 15:43:27 m charon[2905]: 11[IKE] 223.73.b.b is initiating an IKE_SA
Jan 22 15:43:27 m charon[2905]: 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 22 15:43:27 m charon[2905]: 11[IKE] remote host is behind NAT
Jan 22 15:43:27 m charon[2905]: 11[IKE] sending cert request for "CN=RSACA" 
Jan 22 15:43:27 m charon[2905]: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jan 22 15:43:27 m charon[2905]: 11[NET] sending packet: from 59.37.a.a[500] to 223.73.b.b[12616] (353 bytes)
Jan 22 15:43:27 m charon[2905]: 09[NET] received packet: from 223.73.b.b[12649] to 59.37.a.a[4500] (576 bytes)
Jan 22 15:43:27 m charon[2905]: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Jan 22 15:43:27 m charon[2905]: 09[ENC] received fragment #1 of 4, waiting for complete IKE message
Jan 22 15:43:27 m charon[2905]: 09[NET] received packet: from 223.73.b.b[12649] to 59.37.a.a[4500] (576 bytes)
Jan 22 15:43:27 m charon[2905]: 09[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Jan 22 15:43:27 m charon[2905]: 09[ENC] received fragment #2 of 4, waiting for complete IKE message
Jan 22 15:43:27 m charon[2905]: 09[NET] received packet: from 223.73.b.b[12649] to 59.37.a.a[4500] (576 bytes)
Jan 22 15:43:27 m charon[2905]: 09[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Jan 22 15:43:27 m charon[2905]: 09[ENC] received fragment #3 of 4, waiting for complete IKE message
Jan 22 15:43:27 m charon[2905]: 09[NET] received packet: from 223.73.b.b[12649] to 59.37.a.a[4500] (240 bytes)
Jan 22 15:43:27 m charon[2905]: 09[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Jan 22 15:43:27 m charon[2905]: 09[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1724 bytes)
Jan 22 15:43:27 m charon[2905]: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jan 22 15:43:27 m charon[2905]: 09[IKE] received cert request for "CN=RSACA" 
Jan 22 15:43:27 m charon[2905]: 09[IKE] received 69 cert requests for an unknown ca
Jan 22 15:43:27 m charon[2905]: 09[CFG] looking for peer configs matching 59.37.a.a[%any]...223.73.b.b[192.168.1.113]
Jan 22 15:43:27 m charon[2905]: 09[CFG] selected peer config 'radius-1'
Jan 22 15:43:27 m charon[2905]: 09[CFG] sending RADIUS Access-Request to server '172.27.7.26'
Jan 22 15:43:27 m charon[2905]: 09[CFG] *received RADIUS Access-Reject from server '172.27.7.26'*
Jan 22 15:43:27 m charon[2905]: 09[IKE] RADIUS authentication of '192.168.1.113' failed
Jan 22 15:43:27 m charon[2905]: 09[IKE] initiating EAP_RADIUS method failed
Jan 22 15:43:27 m charon[2905]: 09[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]
Jan 22 15:43:27 m charon[2905]: 09[NET] sending packet: from 59.37.a.a[4500] to 223.73.b.b[12649] (108 bytes)

1812.cap (330 Bytes) 1812.cap zhenxing huang, 23.01.2020 13:17
external.xml (330 Bytes) external.xml zhenxing huang, 23.01.2020 13:17
internal.xml (394 Bytes) internal.xml zhenxing huang, 23.01.2020 13:17
messages (3.47 KB) messages zhenxing huang, 23.01.2020 13:17
strongswan.conf (1.07 KB) strongswan.conf zhenxing huang, 23.01.2020 13:17
swanctl.conf (1.75 KB) swanctl.conf zhenxing huang, 23.01.2020 13:17

History

#1 Updated by zhenxing huang about 1 month ago

Why there is any any (59.37.a.a[*%any*])? Is this the problem

#2 Updated by Tobias Brunner about 1 month ago

  • Category set to configuration
  • Status changed from New to Feedback

Why there is any any (59.37.a.a[*%any*])? Is this the problem

Not sure what you mean. But the problem is clearly that the RADIUS server immediately replies with an Access-Reject message. So check the log/config of your RADIUS server.

#3 Updated by zhenxing huang about 1 month ago

Tobias Brunner wrote:

Why there is any any (59.37.a.a[*%any*])? Is this the problem

Not sure what you mean. But the problem is clearly that the RADIUS server immediately replies with an Access-Reject message. So check the log/config of your RADIUS server.

But it is well when use ipsec , (radius have not change anything.)

We are use nps of windows for radius.
log:
When use ipsec ,the log of nps can identify username ,
When use swanctl, the username is "��q" display。

#4 Updated by Tobias Brunner about 1 month ago

You probably configured eap_identity=%identity before, so configure remote.eap_id=%any now (see migration from ipsec.conf).

#5 Updated by zhenxing huang 29 days ago

Tobias Brunner wrote:

You probably configured eap_identity=%identity before, so configure remote.eap_id=%any now (see migration from ipsec.conf).

Still the same。

Any value entered for the username will show "��q" on log of nps。

#6 Updated by Tobias Brunner 29 days ago

Still the same。

Any value entered for the username will show "��q" on log of nps。

Maybe you did that wrong. Please post config and log.

#7 Updated by zhenxing huang 29 days ago

Tobias Brunner wrote:

Still the same。

Any value entered for the username will show "��q" on log of nps。

Maybe you did that wrong. Please post config and log.

Thank you very mach for your help

#8 Updated by Tobias Brunner 29 days ago

As always, it helps reading the logs:

Jan 23 19:49:00 m charon-systemd[6001]: EAP-Identity request configured, but not supported

You apparently don't have the eap-identity plugin loaded.

By the way, as noted on EapRadius you could also configure eap_start = yes for the eap-radius plugin to let the RADIUS server initiate the EAP exchange. It might request the identity itself in that case. No idea if Microsoft's RADIUS server supports that, though.

#9 Updated by zhenxing huang 29 days ago

Tobias Brunner wrote:

As always, it helps reading the logs:

[...]

You apparently don't have the eap-identity plugin loaded.

By the way, as noted on EapRadius you could also configure eap_start = yes for the eap-radius plugin to let the RADIUS server initiate the EAP exchange. It might request the identity itself in that case. No idea if Microsoft's RADIUS server supports that, though.

MS'nps work well use ipsec ,but not for swanctl.
Which command is equivalent with ipsec listplugins?

Add setting eap_start=yes and load = eap_identity on charon-systemd of strongswan.conf

output log:

Jan 24 10:42:37 m charon-systemd[7456]: received packet: from 223.73.b.b[46182] to 59.37.a.a[500] (624 bytes)
Jan 24 10:42:37 m charon-systemd[7456]: parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jan 24 10:42:37 m charon-systemd[7456]: received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jan 24 10:42:37 m charon-systemd[7456]: received MS-Negotiation Discovery Capable vendor ID
Jan 24 10:42:37 m charon-systemd[7456]: received Vid-Initial-Contact vendor ID
Jan 24 10:42:37 m charon-systemd[7456]: received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jan 24 10:42:37 m charon-systemd[7456]: 223.73.b.b is initiating an IKE_SA
Jan 24 10:42:37 m charon-systemd[7456]: selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan 24 10:42:37 m charon-systemd[7456]: remote host is behind NAT
Jan 24 10:42:37 m charon-systemd[7456]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jan 24 10:42:37 m charon-systemd[7456]: sending packet: from 59.37.a.a[500] to 223.73.b.b[46182] (328 bytes)
Jan 24 10:42:37 m charon-systemd[7456]: received packet: from 223.73.b.b[46272] to 59.37.a.a[4500] (576 bytes)
Jan 24 10:42:37 m charon-systemd[7456]: parsed IKE_AUTH request 1 [ EF(1/4) ]
Jan 24 10:42:37 m charon-systemd[7456]: received fragment #1 of 4, waiting for complete IKE message
Jan 24 10:42:37 m charon-systemd[7456]: received packet: from 223.73.b.b[46272] to 59.37.a.a[4500] (240 bytes)
Jan 24 10:42:37 m charon-systemd[7456]: parsed IKE_AUTH request 1 [ EF(4/4) ]
Jan 24 10:42:37 m charon-systemd[7456]: received fragment #4 of 4, waiting for complete IKE message
Jan 24 10:42:37 m charon-systemd[7456]: received packet: from 223.73.b.b[46272] to 59.37.a.a[4500] (576 bytes)
Jan 24 10:42:37 m charon-systemd[7456]: parsed IKE_AUTH request 1 [ EF(3/4) ]
Jan 24 10:42:37 m charon-systemd[7456]: received fragment #3 of 4, waiting for complete IKE message
Jan 24 10:42:37 m charon-systemd[7456]: received packet: from 223.73.b.b[46272] to 59.37.a.a[4500] (576 bytes)
Jan 24 10:42:37 m charon-systemd[7456]: parsed IKE_AUTH request 1 [ EF(2/4) ]
Jan 24 10:42:37 m charon-systemd[7456]: received fragment #2 of 4, reassembled fragmented IKE message (1724 bytes)
Jan 24 10:42:37 m charon-systemd[7456]: parsed IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jan 24 10:42:37 m charon-systemd[7456]: received 70 cert requests for an unknown ca
Jan 24 10:42:37 m charon-systemd[7456]: looking for peer configs matching 59.37.a.a[%any]...223.73.b.b[192.168.1.113]
Jan 24 10:42:37 m charon-systemd[7456]: selected peer config 'radius-1'
Jan 24 10:42:37 m charon-systemd[7456]: EAP-Identity request configured, but not supported
Jan 24 10:42:37 m charon-systemd[7456]: sending RADIUS Access-Request to server '172.27.7.26'
Jan 24 10:42:39 m charon-systemd[7456]: retransmit 1 of RADIUS Access-Request (timeout: 2.8s)
Jan 24 10:42:42 m charon-systemd[7456]: retransmit 2 of RADIUS Access-Request (timeout: 3.9s)
Jan 24 10:42:46 m charon-systemd[7456]: retransmit 3 of RADIUS Access-Request (timeout: 5.5s)

#10 Updated by Tobias Brunner 29 days ago

Which command is equivalent with ipsec listplugins?

There is none, but --stats lists the loaded plugins.

Add setting eap_start=yes

The RADIUS server apparently doesn't like that, it doesn't respond at all now.

and load = eap_identity on charon-systemd of strongswan.conf

Don't do that. See FAQ for instructions if a plugin is missing.

#11 Updated by zhenxing huang 27 days ago

Tobias Brunner wrote:

Which command is equivalent with ipsec listplugins?

There is none, but --stats lists the loaded plugins.

Add setting eap_start=yes

The RADIUS server apparently doesn't like that, it doesn't respond at all now.

and load = eap_identity on charon-systemd of strongswan.conf

Don't do that. See FAQ for instructions if a plugin is missing.

I try to rebuild the program.

When restart ipsec and did not do anything,loaded plugins as follows

[root@m swanctl]# swanctl -S
uptime: 3 seconds, since Jan 25 20:36:12 2020
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 0
IKE_SAs: 0 total, 0 half-open
mallinfo: sbrk 2412544, mmap 0, used 642576, free 1769968
loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc tnc-tnccs dhcp whitelist addrblock counters

When restart swanctl and did not do anything,loaded plugins as follows
[root@m swanctl]# swanctl -S
uptime: 3 seconds, since Jan 25 20:36:25 2020
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 0
IKE_SAs: 0 total, 0 half-open
mallinfo: sbrk 2297856, mmap 0, used 355232, free 1942624
loaded plugins: charon-systemd random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 revocation hmac vici kernel-netlink socket-default eap-radius updown

It really have not loading other plugins.
Please try to help please.

#12 Updated by Tobias Brunner 26 days ago

When restart ipsec and did not do anything,loaded plugins as follows
[...]
When restart swanctl and did not do anything,loaded plugins as follows
[...]

What do you mean with "restart swanctl"? swanctl is a control utility, "restarting" it doesn't make sense. It seems you may have some conflicting configs or some other issue that causes this. Perhaps removing all versions of strongSwan (packages/custom) and rebuilding/-installing from scratch could help.

#13 Updated by zhenxing huang 25 days ago

Tobias Brunner wrote:

When restart ipsec and did not do anything,loaded plugins as follows
[...]
When restart swanctl and did not do anything,loaded plugins as follows
[...]

What do you mean with "restart swanctl"? swanctl is a control utility, "restarting" it doesn't make sense. It seems you may have some conflicting configs or some other issue that causes this. Perhaps removing all versions of strongSwan (packages/custom) and rebuilding/-installing from scratch could help.

My mean is restart strongswan . :)
OK,i will check it again .thanks.

Also available in: Atom PDF