Project

General

Profile

Issue #1071

Updated by Tobias Brunner over 6 years ago

Hi,

when connection profile that follows %default profile contains eap_identity with userid the profile fails to match and the authentication towards radius with eap mschapv2 fails despite the credentials are correct. When adding a connection profile straight after the %default profile that do not contain any matches and strongswan choses to try the next, the matching works.

*Unsuccessfull login:*
<pre>
Aug 17 23:39:52 adm-vpn1-t charon: 08[IKE] sending cert request for "nnnn"
Aug 17 23:39:52 adm-vpn1-t charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Aug 17 23:39:52 adm-vpn1-t charon: 08[NET] sending packet: from nnn[500] to nnn[500] (333 bytes)
Aug 17 23:39:52 adm-vpn1-t charon: 09[NET] received packet: from nnnn[38632] to nnn[4500] (1076 bytes)
Aug 17 23:39:52 adm-vpn1-t charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Aug 17 23:39:52 adm-vpn1-t charon: 09[IKE] received 42 cert requests for an unknown ca
Aug 17 23:39:52 adm-vpn1-t charon: 09[CFG] looking for peer configs matching nnn[%any]...nnn[10.0.0.20]
Aug 17 23:39:52 adm-vpn1-t charon: 09[CFG] selected peer config 'roger'
Aug 17 23:39:52 adm-vpn1-t charon: 09[IKE] using configured EAP-Identity roger
Aug 17 23:39:52 adm-vpn1-t charon: 09[CFG] sending RADIUS Access-Request to server 'primary'
Aug 17 23:39:52 adm-vpn1-t charon: 09[CFG] received RADIUS Access-Challenge from server 'primary'
Aug 17 23:39:52 adm-vpn1-t charon: 09[IKE] initiating EAP_MD5 method (id 0x01)
Aug 17 23:39:52 adm-vpn1-t charon: 09[IKE] peer supports MOBIKE
Aug 17 23:39:52 adm-vpn1-t charon: 09[IKE] authentication of 'nnnn' (myself) with RSA signature successful
Aug 17 23:39:52 adm-vpn1-t charon: 09[IKE] sending end entity cert "nnnn"
Aug 17 23:39:52 adm-vpn1-t charon: 09[IKE] sending issuer cert "nnn"
Aug 17 23:39:52 adm-vpn1-t charon: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/MD5 ]
Aug 17 23:39:52 adm-vpn1-t charon: 09[NET] sending packet: from nnn[4500] to nnn[38632] (2636 bytes)
Aug 17 23:39:52 adm-vpn1-t charon: 10[NET] received packet: from nnnn[38632] to nnn[4500] (68 bytes)
Aug 17 23:39:52 adm-vpn1-t charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/NAK ]
Aug 17 23:39:52 adm-vpn1-t charon: 10[CFG] sending RADIUS Access-Request to server 'primary'
Aug 17 23:39:52 adm-vpn1-t charon: 10[CFG] received RADIUS Access-Challenge from server 'primary'
Aug 17 23:39:52 adm-vpn1-t charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Aug 17 23:39:52 adm-vpn1-t charon: 10[NET] sending packet: from nnn[4500] to nnn[38632] (92 bytes)
Aug 17 23:39:52 adm-vpn1-t charon: 16[NET] received packet: from nnn[38632] to nnn[4500] (124 bytes)
Aug 17 23:39:52 adm-vpn1-t charon: 16[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Aug 17 23:39:52 adm-vpn1-t charon: 16[CFG] sending RADIUS Access-Request to server 'primary'
Aug 17 23:39:53 adm-vpn1-t charon: 11[MGR] ignoring request with ID 3, already processing
Aug 17 23:39:53 adm-vpn1-t charon: 16[CFG] received RADIUS Access-Reject from server 'primary'
Aug 17 23:39:53 adm-vpn1-t charon: 16[IKE] RADIUS authentication of 'roger' failed
Aug 17 23:39:53 adm-vpn1-t charon: 16[IKE] EAP method EAP_MSCHAPV2 failed for peer 10.0.0.20
Aug 17 23:39:53 adm-vpn1-t charon: 16[ENC] generating IKE_AUTH response 3 [ EAP/FAIL ]
Aug 17 23:39:53 adm-vpn1-t charon: 16[NET] sending packet: from 91.203.117.210[4500] to 212.251.208.51[38632] (68 bytes)
</pre>


*Successfull login:*
<pre>
Aug 17 23:40:34 adm-vpn1-t charon: 11[IKE] sending issuer cert "nnnnn"
Aug 17 23:40:34 adm-vpn1-t charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Aug 17 23:40:34 adm-vpn1-t charon: 11[NET] sending packet: from nnnn[4500] to nnn[38632] (2620 bytes)
Aug 17 23:40:34 adm-vpn1-t charon: 12[NET] received packet: from nnnn[38632] to nnnn[4500] (76 bytes)
Aug 17 23:40:34 adm-vpn1-t charon: 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Aug 17 23:40:34 adm-vpn1-t charon: 12[IKE] received EAP identity 'testbruker'
Aug 17 23:40:34 adm-vpn1-t charon: 12[CFG] sending RADIUS Access-Request to server 'primary'
Aug 17 23:40:34 adm-vpn1-t charon: 12[CFG] received RADIUS Access-Challenge from server 'primary'
Aug 17 23:40:34 adm-vpn1-t charon: 12[IKE] initiating EAP_MD5 method (id 0x01)
Aug 17 23:40:34 adm-vpn1-t charon: 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
Aug 17 23:40:34 adm-vpn1-t charon: 12[NET] sending packet: from nnnn[4500] to nnnn[38632] (84 bytes)
Aug 17 23:40:34 adm-vpn1-t charon: 16[NET] received packet: from nnnn[38632] to nnn[4500] (68 bytes)
Aug 17 23:40:34 adm-vpn1-t charon: 16[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
Aug 17 23:40:34 adm-vpn1-t charon: 16[CFG] sending RADIUS Access-Request to server 'primary'
Aug 17 23:40:34 adm-vpn1-t charon: 16[CFG] received RADIUS Access-Challenge from server 'primary'
Aug 17 23:40:34 adm-vpn1-t charon: 16[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Aug 17 23:40:34 adm-vpn1-t charon: 16[NET] sending packet: from nnnn[4500] to nnn[38632] (100 bytes)
Aug 17 23:40:34 adm-vpn1-t charon: 04[NET] received packet: from nnnn[38632] to nnnn[4500] (132 bytes)
Aug 17 23:40:34 adm-vpn1-t charon: 04[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Aug 17 23:40:34 adm-vpn1-t charon: 04[CFG] sending RADIUS Access-Request to server 'primary'
Aug 17 23:40:34 adm-vpn1-t charon: 04[CFG] received RADIUS Access-Challenge from server 'primary'
Aug 17 23:40:34 adm-vpn1-t charon: 04[ENC] generating IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
Aug 17 23:40:34 adm-vpn1-t charon: 04[NET] sending packet: from nnnn[4500] to nnnn[38632] (108 bytes)
Aug 17 23:40:34 adm-vpn1-t charon: 15[NET] received packet: from nnnnnn[38632] to nnnn[4500] (68 bytes)
Aug 17 23:40:34 adm-vpn1-t charon: 15[ENC] parsed IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
Aug 17 23:40:34 adm-vpn1-t charon: 15[CFG] sending RADIUS Access-Request to server 'primary'
Aug 17 23:40:34 adm-vpn1-t charon: 15[CFG] received RADIUS Access-Accept from server 'primary'
Aug 17 23:40:34 adm-vpn1-t charon: 15[IKE] RADIUS authentication of 'testbruker' successful
Aug 17 23:40:34 adm-vpn1-t charon: 15[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Aug 17 23:40:34 adm-vpn1-t charon: 15[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ]
Aug 17 23:40:34 adm-vpn1-t charon: 15[NET] sending packet: from nnnn[4500] to nnnnnn[38632] (68 bytes)
Aug 17 23:40:34 adm-vpn1-t charon: 06[NET] received packet: from nnn[38632] to nnn[4500] (84 bytes)
Aug 17 23:40:34 adm-vpn1-t charon: 06[ENC] parsed IKE_AUTH request 6 [ AUTH ]
Aug 17 23:40:34 adm-vpn1-t charon: 06[IKE] authentication of '10.0.0.20' with EAP successful
Aug 17 23:40:34 adm-vpn1-t charon: 06[CFG] constraint check failed: group membership to 'finnesikke' required
Aug 17 23:40:34 adm-vpn1-t charon: 06[CFG] selected peer config 'dummy' inacceptable: non-matching authentication done
Aug 17 23:40:34 adm-vpn1-t charon: 06[CFG] switching to peer config 'roger'
Aug 17 23:40:34 adm-vpn1-t charon: 06[CFG] constraint check failed: EAP identity 'roger' required
Aug 17 23:40:34 adm-vpn1-t charon: 06[CFG] selected peer config 'roger' inacceptable: non-matching authentication done
Aug 17 23:40:34 adm-vpn1-t charon: 06[CFG] switching to peer config 'testbruker'
Aug 17 23:40:34 adm-vpn1-t charon: 06[IKE] authentication of 'vpn-test.bch.no' (myself) with EAP
Aug 17 23:40:34 adm-vpn1-t charon: 06[IKE] IKE_SA testbruker[1] established between nnnn[nnnn]...nnnnn[nnn]
Aug 17 23:40:34 adm-vpn1-t charon: 06[IKE] scheduling reauthentication in 27888s
Aug 17 23:40:34 adm-vpn1-t charon: 06[IKE] maximum IKE_SA lifetime 28428s
Aug 17 23:40:34 adm-vpn1-t charon: 06[IKE] peer requested virtual IP %any
Aug 17 23:40:34 adm-vpn1-t charon: 06[IKE] assigning virtual IP 10.0.0.10 to peer 'testbruker'
Aug 17 23:40:34 adm-vpn1-t charon: 06[IKE] CHILD_SA testbruker{1} established with SPIs c3f4ff2e_i 6b5a1fa6_o and TS 6.6.6.4/30 10.220.0.0/16 === 10.0.0.10/32
Aug 17 23:40:34 adm-vpn1-t charon: 06[ENC] generating IKE_AUTH response 6 [ AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Aug 17 23:40:34 adm-vpn1-t charon: 06[NET] sending packet: from nnnnn[4500] to nnnnn[38632] (236 bytes)
</pre>


*The configuration:*
<pre>
conn %default
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = yes
mobike = yes
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
auto = add
left = nnn
right = %any
leftid = nnn
compress = yes
ikelifetime = 28800s
lifetime = 3600s
rightsourceip = 10.221.100.0/22
ike = 3des-sha1-modp1024
esp = aes256-sha1,aes192-sha1,aes128-sha1
eap_identity = %identity
leftauth = pubkey
rightauth = eap-radius
# rightauth=eap-mschapv2
leftcert=/etc/ipsec.d/certs/nnn
# Apple devices do not request certificate so we need to push it
leftsendcert = always
leftsubnet = nnn
leftdns = nnn

*# fails EAP matching witout this entry
conn dummy
rightgroups = finnesikke
leftsubnet = 255.255.255.255/32
*
conn roger
eap_identity = roger
leftsubnet = 5.5.5.5/30
rightsourceip = %radius

conn testbruker
eap_identity = testbruker
leftsubnet = 6.6.6.6/30,10.220.0.0/16
rightsourceip = %radius

conn test
eap_identity = test
leftsubnet = 7.7.7.7/30
</pre>

Back