IKEv2: loading EAP_RADIUS method failed

viniciusferrao · May 21, 2016, 5:59 PM

Hello guys,

I've a working IKEv2 VPN with EAP-MSCHAPv2, but I would like to use RADIUS instead. So I installed the FreeRADIUS 2 package on the same box and configured FreeRADIUS and the IKEv2 VPN accordingly. But nothing works.

On the command line if I do something like this:

radtest -t mschap username password 127.0.0.1 1812 mySuperFreaking31CharactersSecret

It works as expected:

Sending Access-Request of id 62 to 127.0.0.1 port 1812
	User-Name = "username"
	NAS-IP-Address = 192.168.30.1
	NAS-Port = 1812
	Message-Authenticator = 0x00000000000000000000000000000000
	MS-CHAP-Challenge = 0xdeadbeef3102983091
	MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000000380a9cb801280cd8e018ef8012986ffa880aac
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=62, length=84
	MS-CHAP-MPPE-Keys = 0x517831729acbd8789313ef31809bdcccaeff80ab8d37880000000000000000
	MS-MPPE-Encryption-Policy = 0x00000001
	MS-MPPE-Encryption-Types = 0x00000006

FreeRADIUS was running with radiusd -X on the CLI and I can see all the negotiation during the radtest command. But when I try to authenticate with the IKEv2 VPN, RADIUS does simply nothing. Nothing appears on the radiusd -X output.

So I think it's a problem on the IKEv2 setup. Since it was working with EAP-MSCHAPv2 it should be something only related to EAP-RADIUS.

Anyway anyone with the same problem?

jimp · May 23, 2016, 8:00 PM

Works fine here. You have the RADIUS server defined under System > User Manager on the Servers tab? And selected under VPN > IPsec on the Mobile Clients tab? Does a test authentication From Diagnostics > Authentication succeed?

viniciusferrao · May 24, 2016, 3:30 PM

@jimp:

Works fine here. You have the RADIUS server defined under System > User Manager on the Servers tab? And selected under VPN > IPsec on the Mobile Clients tab? Does a test authentication From Diagnostics > Authentication succeed?

Hello jimp.

I've configured the RADIUS server on the System > User Manager > Authentication Servers.

Created it with the localhost 127.0.0.1 address, put the shared secret and only marked Authentication as Services offered.

On the VPN settings I've selected the created RADIUS Authentication Service on the previous menu.

Finally the Diag test executed successfully:

User: ferrao authenticated successfully. This user is a member of groups:

Any other ideia?

viniciusferrao · Jun 7, 2016, 1:17 AM

@jimp with the 2.3.1 update things started working without any modification. I'm not sure what happened.

slamotte · Aug 6, 2016, 10:40 PM

I'm at 2.3.2 and am having the exact same issue, "loading EAP_RADIUS method failed" in the logs with a fresh setup. Very frustrating, has anyone worked this out?

Derelict · Aug 6, 2016, 10:42 PM

Try completely stopping and restarting IPsec.

slamotte · Aug 6, 2016, 10:51 PM

Thank you, that did it! I just found an 18-month old post that described the exact same thing and they too had wasted hours on this…

dbielen · Nov 9, 2016, 2:04 PM

Yep, that's it, as per this bug report:
https://redmine.pfsense.org/issues/6481
stop, then start, the reload doesn't cut it when going from EAP-MSCHAPv2 to EAP-RADIUS