Project

General

Profile

Issue #3567

strongswan 5.8.4 authenticating via windows radius server

Added by Chuks Chuks about 1 month ago. Updated 23 days ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.8.4
Resolution:
No feedback

Description

Am runing Strongswan version 5.8.4
and I want to authenticate via eap-radius (windows radius server)
but am having issues please see below
am new to linux and any advice will be truelly appreciated.

I installed strongswan as shown below:
./configure --prefix=/usr --sysconfdir=/etc/strongswan --localstatedir=/var --enable-unity
--enable-xauth-eap --enable-eap-identity --enable-eap-md5 --enable-xauth-pam --enable-eap-tls
--enable-eap-radius --enable-eap-mschapv2 --enable-dhcp --enable-systemd --enable-eap-dynamic
--enable-openssl --enable-addrblock --enable-certexpire --enable-radattr --enable-swanctl --disable-gmp

my ipsect.conf:

config setup
    uniqueids=never
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2" 
    # fragmentation=yes

conn %default
    leftsubnet=255.255.240.0
    left=%defaultroute
    right=%any
    auto=add
    fragmentation=yes
    eap-start=yes

conn IKEv2-EAP_MSCHAPv2-RADIUS
    keyexchange=ikev2
    ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
    esp=aes256-sha256,3des-sha1,aes256-sha1!
    rekey=no
    leftid=128.16.3.161
    leftauth=%any
    leftcert=server.cert.pem
    rightauth=eap-radius
    rightsourceip=128.16.115.0/24
    rightsendcert=never
    rightdns=128.16.6.19,128.16.5.31
    eap_identity=%any
    fragmentation=yes

Error log:

Sep 16 13:38:58 coniston charon[22336]: 10[IKE] received cert request for unknown ca with keyid 67:ec:9f:90:2d:cd:64:ae:fe:7e:bc:cd:f8:8c:51:28:f1:93:2c:12
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] received cert request for unknown ca with keyid 17:4a:b8:2b:5f:fb:05:67:75:27:ad:49:5a:4a:5d:c4:22:cc:ea:4e
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] received cert request for unknown ca with keyid 7c:32:d4:85:fd:89:0a:66:b5:97:ce:86:f4:d5:26:a9:21:07:e8:3e
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] received cert request for unknown ca with keyid 68:33:0e:61:35:85:21:59:29:83:a3:c8:d2:d2:e1:40:6e:7a:b3:c1
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] received cert request for unknown ca with keyid 07:7e:cc:1e:ac:67:63:39:57:f0:9f:0f:a8:35:de:bb:03:b9:9e:a3
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] received cert request for unknown ca with keyid 58:fa:b0:7b:0a:60:e5:ff:bf:2b:72:72:38:4f:33:f2:56:89:cc:f2
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] received 55 cert requests for an unknown ca
Sep 16 13:38:58 coniston charon[22336]: 10[CFG] looking for peer configs matching 128.16.3.161[%any]...128.16.5.164[128.16.5.164]
Sep 16 13:38:58 coniston charon[22336]: 10[CFG]   candidate "IKEv2-EAP_MSCHAPv2-RADIUS-iOS", match: 1/1/28 (me/other/ike)
Sep 16 13:38:58 coniston charon[22336]: 10[CFG]   candidate "IKEv2-EAP_MSCHAPv2-RADIUS", match: 1/1/28 (me/other/ike)
Sep 16 13:38:58 coniston charon[22336]: 10[CFG] selected peer config 'IKEv2-EAP_MSCHAPv2-RADIUS-iOS'
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] processing INTERNAL_IP4_DNS attribute
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] processing INTERNAL_IP4_NBNS attribute
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] processing INTERNAL_IP4_SERVER attribute
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] received 55 cert requests for an unknown ca
Sep 16 13:38:58 coniston charon[22336]: 10[CFG] looking for peer configs matching 128.16.3.161[%any]...128.16.5.164[128.16.5.164]
Sep 16 13:38:58 coniston charon[22336]: 10[CFG]   candidate "IKEv2-EAP_MSCHAPv2-RADIUS-iOS", match: 1/1/28 (me/other/ike)
Sep 16 13:38:58 coniston charon[22336]: 10[CFG]   candidate "IKEv2-EAP_MSCHAPv2-RADIUS", match: 1/1/28 (me/other/ike)
Sep 16 13:38:58 coniston charon[22336]: 10[CFG] selected peer config 'IKEv2-EAP_MSCHAPv2-RADIUS-iOS'
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] processing INTERNAL_IP4_DNS attribute
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] processing INTERNAL_IP4_NBNS attribute
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] processing INTERNAL_IP4_SERVER attribute
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] processing INTERNAL_IP6_ADDRESS attribute
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] processing INTERNAL_IP6_DNS attribute
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] processing INTERNAL_IP6_SERVER attribute
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] peer supports MOBIKE
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] authentication of '128.16.3.161' (myself) with RSA signature successful
Sep 16 13:38:58 coniston charon[22336]: 10[IKE] sending end entity cert "C=US, O=Premium, CN=128.16.3.161" 
Sep 16 13:38:58 coniston charon[22336]: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 16 13:38:58 coniston charon[22336]: 10[NET] sending packet: from 128.16.3.161[4500] to 128.16.5.164[4500] (1200 bytes)
Sep 16 13:38:58 coniston charon[22336]: 10[MGR] checkin IKE_SA IKEv2-EAP_MSCHAPv2-RADIUS-iOS[1]
Sep 16 13:38:58 coniston charon[22336]: 10[MGR] checkin of IKE_SA successful
Sep 16 13:38:58 coniston charon[22336]: 04[NET] sending packet: from 128.16.3.161[4500] to 128.16.5.164[4500]
Sep 16 13:39:28 coniston charon[22336]: 14[MGR] checkout IKEv2 SA with SPIs a6b22726e7f2e2ff_i a7e8329620b59f3f_r
Sep 16 13:39:28 coniston charon[22336]: 14[MGR] IKE_SA IKEv2-EAP_MSCHAPv2-RADIUS-iOS[1] successfully checked out
Sep 16 13:39:28 coniston charon[22336]: 14[JOB] deleting half open IKE_SA with 128.16.5.164 after timeout
Sep 16 13:39:28 coniston charon[22336]: 14[MGR] checkin and destroy IKE_SA IKEv2-EAP_MSCHAPv2-RADIUS-iOS[1]
Sep 16 13:39:28 coniston charon[22336]: 14[IKE] IKE_SA IKEv2-EAP_MSCHAPv2-RADIUS-iOS[1] state change: CONNECTING => DESTROYING
Sep 16 13:39:28 coniston charon[22336]: 14[MGR] checkin and destroy of IKE_SA successful
Sep 16 13:41:19 coniston charon[22336]: 03[NET] received packet: from 128.16.5.164[500] to 128.16.3.161[500]
Sep 16 13:41:19 coniston charon[22336]: 03[NET] waiting for data on sockets
Sep 16 14:02:18 coniston charon[22504]: 08[IKE] received 55 cert requests for an unknown ca
Sep 16 14:02:18 coniston charon[22504]: 08[CFG] looking for peer configs matching 128.16.3.161[%any]...128.16.5.164[128.16.5.164]
Sep 16 14:02:18 coniston charon[22504]: 08[CFG]   candidate "IKEv2-EAP_MSCHAPv2-RADIUS", match: 1/1/28 (me/other/ike)
Sep 16 14:02:18 coniston charon[22504]: 08[CFG] selected peer config 'IKEv2-EAP_MSCHAPv2-RADIUS'
Sep 16 14:02:18 coniston charon[22504]: 08[IKE] initiating EAP_IDENTITY method (id 0x00)
Sep 16 14:02:18 coniston charon[22504]: 08[IKE] processing INTERNAL_IP4_ADDRESS attribute
Sep 16 14:02:18 coniston charon[22504]: 08[IKE] processing INTERNAL_IP4_DNS attribute
Sep 16 14:02:18 coniston charon[22504]: 08[IKE] processing INTERNAL_IP4_NBNS attribute
Sep 16 14:02:18 coniston charon[22504]: 08[IKE] processing INTERNAL_IP4_SERVER attribute
Sep 16 14:02:18 coniston charon[22504]: 08[IKE] processing INTERNAL_IP6_ADDRESS attribute
Sep 16 14:02:18 coniston charon[22504]: 08[IKE] processing INTERNAL_IP6_DNS attribute
Sep 16 14:02:18 coniston charon[22504]: 08[IKE] processing INTERNAL_IP6_SERVER attribute
Sep 16 14:02:18 coniston charon[22504]: 08[IKE] peer supports MOBIKE
Sep 16 14:02:18 coniston charon[22504]: 08[IKE] authentication of '128.16.3.161' (myself) with RSA signature successful
Sep 16 14:02:18 coniston charon[22504]: 08[IKE] sending end entity cert "C=US, O=Premium, CN=128.16.3.161" 
Sep 16 14:02:18 coniston charon[22504]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 16 14:02:18 coniston charon[22504]: 08[NET] sending packet: from 128.16.3.161[4500] to 128.16.5.164[4500] (1200 bytes)
Sep 16 14:02:18 coniston charon[22504]: 08[MGR] checkin IKE_SA IKEv2-EAP_MSCHAPv2-RADIUS[1]
Sep 16 14:02:18 coniston charon[22504]: 08[MGR] checkin of IKE_SA successful
Sep 16 14:02:18 coniston charon[22504]: 04[NET] sending packet: from 128.16.3.161[4500] to 128.16.5.164[4500]
Sep 16 14:02:48 coniston charon[22504]: 12[MGR] checkout IKEv2 SA with SPIs 011d3250ac0daad3_i 96dec3f57fb5266c_r
Sep 16 14:02:48 coniston charon[22504]: 12[MGR] IKE_SA IKEv2-EAP_MSCHAPv2-RADIUS[1] successfully checked out
Sep 16 14:02:48 coniston charon[22504]: 12[JOB] deleting half open IKE_SA with 128.16.5.164 after timeout
Sep 16 14:02:48 coniston charon[22504]: 12[MGR] checkin and destroy IKE_SA IKEv2-EAP_MSCHAPv2-RADIUS[1]
Sep 16 14:02:48 coniston charon[22504]: 12[IKE] IKE_SA IKEv2-EAP_MSCHAPv2-RADIUS[1] state change: CONNECTING => DESTROYING
Sep 16 14:02:48 coniston charon[22504]: 12[MGR] checkin and destroy of IKE_SA successful
Sep 16 14:04:10 coniston charon[22504]: 00[DMN] signal of type SIGINT received. Shutting down
Sep 16 14:04:10 coniston charon[22504]: 00[MGR] going to destroy IKE_SA manager and all managed IKE_SA's
Sep 16 14:04:10 coniston charon[22504]: 00[MGR] set driveout flags for all stored IKE_SA's
Sep 16 14:04:10 coniston charon[22504]: 00[MGR] wait for all threads to leave IKE_SA's

History

#1 Updated by Tobias Brunner about 1 month ago

  • Description updated (diff)
  • Status changed from New to Feedback

This has nothing to do with eap-radius or the Windows RADIUS server. Neither one of them is involved yet.

The client does not continue with the authentication after the server sent its IKE_AUTH response, so the SA is deleted after a timeout. It either doesn't like the EAP-Identity request or it doesn't trust the server's certificate. Check the client log for details.

#2 Updated by Tobias Brunner 23 days ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

Also available in: Atom PDF