IKEv2 VPN with EAP-RADIUS will not authenticate
-
I am testing IPSEC mobile VPN with EAP-RADIUS authentication to Windows Server 2012 R2 running NPS. I have EAP-MSCHAPv2 working OK, but I want to authenticate to RADIUS so that users can login with their domain passwords.
I have setup EAP-RADIUS as per the guides and the authentication test in the pfsense works OK and I get a successful authentication log on the Windows NPS server too. When I attempt a VPN connection with the same profile that works for EAP-MSCHAPv2, but just changed to EAP-RADIUS with the working RADIUS config, it fails to login and I get the following message on the NPS server.
"An Access-Request message was received from RADIUS client 192.168.120.254 with a Message-Authenticator attribute that is not valid."
I read somewhere that this message could be an incorrect key, but the auth test passes fines plus I have set the key several times to be sure and used a simple 10 digit key too (just in the self-generated one in NPS was too long).
I am running the latest pfsense build 2.3.2_1 Can anybody throw some light on this? I have been testing this for the past week and feel that I am so close to a working solution.
-
Did you do this: https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS
-
Yes, that has all been done. It took a lot of work to get the authentication working initially using the 'Diagnostics' -> 'Authentication' but that is now fine.
The authentication as part of the vpn connection must do something different that Windows NPS doesn't like.
-
EAP is completely different. That diagnostic does not test it. Double-check all your NPS settings.
-
Specifically, look in the NPS policy settings and ensure the options for EAP and MS-CHAPv2 are active. If it works from Diag > Auth but not from IPsec, it's 100% on your NPS settings.
-
OK, I solved it. All indications on this error message were to do with a mismatch between the Radius settings in pfsense and the Radius client in NPS. No amount of changing the settings worked UNTIL, I rebooted the pfsense. I got the idea from a post I found about Watchguard firewalls (go figure! bsd based?) where you have to reboot the unit to effect changes to radius settings.
After rebooting and adjusting my NPS Connection and Network Policies, the VPN connects and authenticates using domain credentials. One tip for anybody with Wireless Access Points authenticating to the same NPS. Create separate policies for IKEv2 auth and use the condition 'Client Friendly Name' and set this to same value as your Distinguished Name in the phase I settings. This will differentiate it from either your default or WifI PEAP policy and use MSCHAPv2 authentication.