IKEv2 + OSX + Radius ?
-
Anyone got IKEv2 + Radius working with OSX clients?
I can connect with local database + EAP-MSChapv2, but if I try to switch to Radius, it logs…
16[IKE] <bypasslan|15>peer requested EAP, config inacceptable 16[CFG] <bypasslan|15>no alternative config found</bypasslan|15></bypasslan|15>
…and gives up.
-
Do you have a radius server configured? Are you using FreeRADIUS on Pfsense:
https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package
Or an external radius server/directory? I recently battled IKEv2 and EAP radius for use on Windows and Androids so it does work. Can't say for certain about OSX but, I would think, things are, at least, similar.
-
Yes, the Radius server works fine with OpenVPN (on pfsense) and L2TP (Softether on another host).
Pfsense is version 2.3.3-RELEASE-p1.I've seen a few posts about Windows, where the issues were solved by tweaking VPN client settings. Unfortunately OSX has virtually no config options at all.
-
Yes, the Radius server works fine with OpenVPN (on pfsense) and L2TP (Softether on another host).
Pfsense is version 2.3.3-RELEASE-p1.I've seen a few posts about Windows, where the issues were solved by tweaking VPN client settings. Unfortunately OSX has virtually no config options at all.
That's probably the issue. My guess it is using some hard coded defaults. I found this:
https://wiki.strongswan.org/issues/1233
It makes it appear that Mac OSX wants to use EAP-TLS by default. The answer may be the use of the Apple Configurator to create the profile in a way that will allow you to match all the appropriate options to the server. See below:
https://serverfault.com/questions/803801/strongswan-ikev2-vpn-on-os-x-10-11-and-ios-10-clients
-
Thank you. I wouldn't mind using EAP-TLS (or EAP-MSChapv2), but apparently EAP-RADIUS is the only one that actually tests the credentials against a Radius server, even if one is selected on the "Mobile Clients" tab instead of local database?
Btw, what in fact is "EAP-RADIUS"? I can't seem to find any mention of such an authentication scheme anywhere except pfSense. I always thought Radius is just a backend for checking credentials against.
Using Apple Configurator or such to change the settings is a bit too much to ask from end users of the VPN, so I guess I'll just have to give up. Given how complicated getting VPNs to work usually is, it's a little baffling how little options OSX GUI for IKEv2 gives, and how it just silently fails without any error messages / diagnostics at all.
-
Thank you. I wouldn't mind using EAP-TLS (or EAP-MSChapv2), but apparently EAP-RADIUS is the only one that actually tests the credentials against a Radius server, even if one is selected on the "Mobile Clients" tab instead of local database?
Btw, what in fact is "EAP-RADIUS"? I can't seem to find any mention of such an authentication scheme anywhere except pfSense. I always thought Radius is just a backend for checking credentials against.
Using Apple Configurator or such to change the settings is a bit too much to ask from end users of the VPN, so I guess I'll just have to give up. Given how complicated getting VPNs to work usually is, it's a little baffling how little options OSX GUI for IKEv2 gives, and how it just silently fails without any error messages / diagnostics at all.
Well, your best option would be to use the configurator to create a profile that is suited for your users and then deploy it to them either manually or, if possible, automatically. I'm not sure how easy or difficult it would be. I figure, once you have a working configuration profile, you just provide it to all users who need it.
Well, I think eap-mschapv2 is only for local username/password/keys on the pfsense firewall. If you want to use remote authentication, you use a backend radius server (though, I've read LDAP works as well). The client is generally configured with eap-mschapv2 and your configure the firewall to authenticate to the backend radius server using the authentication method of eap. Pfsense just happens to call it eap-radius where as other firewalls I've worked with just configure it as eap-mschapv2 and tell you to point to your configured radius servers for backend authentication.
-
Elnadmin, EAP-RADIUS auth scheme just means you're using a radius server to authenticate your IKEv2 clients instead of using the pre-shared keys on IPSec pfsense tab.
Your initiator becomes a supplicant and will send authentication to your vpn server, which becomes a radius client that forwards the request to the radius server, that in turn will performs authentication.
I'm trying to explain it as simpler as i could in english, which is not my primary language, and i hope i understood correctly your issue. Think the RADIUS server as a sort of "authentication gateway" that receives the authentication requests from some devices (in your case the VPN server) and authenticates or redirects authentication to the right server accordingly (could be locally, against an LDAP server like a domain controller, or certificate based), and replies back with a YES or NO and eventually some other messages.It's completely transparent to the device you're connecting with, which will use the authentication configured on the radius server itself. Depending on how you configure authentication on the radius server, you need to set up clients accordingly. If you're using certificates to authenticate clients you're likely to use EAP-TLS, if you use usernames and passwords, you're very likely to use EAP-MSCHAPv2.
All those protocols can be configured in the FreeRADIUS:EAP/EAP section in the package configuration section, it's up to you to decide which one.The main advantage of using a RADIUS server instead of the internal database is that you can use the same authentication server for multiple devices, such as network devices (managed switches and routers which normally don't support more complex authentication schemes), VPN servers, 802.1x networks and well, you got the idea. It's a standard protocol for Authentication, authorization and (eventually) accounting.
EDIT: in your case, under mobile clients you must also select the radius server database. You can configure pfsense to use other databases for authentication under Settings / User Manager / Authentication Servers, then your vpn server to use EAP-RADIUS, and your radius server with the correct EAP authentication.
From the message you posted in your first post, it seems the IPSec server is not configured to accept EAP requests. What protocol do you have under the P1 auth method and under FREERADIUS/EAP?