IKEv2 AD Radius/NPS



  • Good morning

    I've set up OpenVPN with radius authentication according to this how to:

    https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

    All works well. Also I've tested the Authentication unter Diagnostic > Authentication. All fine.

    Now I've set up IKEv2 with this how to:

    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    with the local database all is fine.

    I've set further settings with this how to:

    https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS

    And changed the user authentication in the mobile options to the radius server.

    I've tried it both with EAP-MSCHAPv2 and EAP-Radius in the VPN Mobile settings but both fail.

    With EAP-Radius I get error 691 and with mschap it asks me again and again for credentials but fails after 3 times.

    Looking at the log on the radius server, it doesn't seem to come through. As no log is created. With OpenVPN it is.

    Does somebody else have these problems?

    Thanks for your help

    PS: Pfsense V 2.3.1_5 and Using the Windows 7 Built in Client

    PPS: I've seen this bug report. Seems to be the same problem

    https://redmine.pfsense.org/issues/6481



  • This one happend to me too. I sent the guy who created the ticket an email but never got a reply and for some reason there's no way of leaving a comment.

    After several hours of great frustration I discovered that my long secure radius PSK key was too long for pfSense/Strongswan to handle. I cut down the length and then it suddenly worked. Don't know the max number of characters though.



  • @kacper:

    This one happend to me too. I sent the guy who created the ticket an email but never got a reply and for some reason there's no way of leaving a comment.

    You have to register and log in, then you can leave comments.

    Good to know about the long PSK, I'll check that when I get back to that ticket.



  • Thanks for the hint! Sadly it didn't work. Hope there will be a fix or something for this soon…



  • @cmb:

    You have to register and log in, then you can leave comments.

    That's what I need but I only see the option to edit or quote and quote seems to be the same as edit with an additional quoting. Maybe I'm blind but I can't see a comment link or button in Readmine.


  • Rebel Alliance Developer Netgate

    @geocast:

    Thanks for the hint! Sadly it didn't work. Hope there will be a fix or something for this soon…

    There isn't anything to fix if the problem from this thread wasn't relevant. The docs are fine, and it works OK even against NPS. I just tested it again a day or two ago. With a proper configuration, it works. Start a fresh thread if you haven't already and post more info about what you're seeing there.



  • Geocast had all the info, I should have looked at his whole post including the link to the bug report at the end.
    I could not see IPSEC (Mobile IKEv2) client auth attempts through to my RADIUS Server at all. It worked perfectly with EAP-MSCHAPv2 and local users though….
    Testing from Diagnostics  > Authentication  always worked and so did RADIUS auth with OpenVPN so I knew that NPS was set up correctly.
    2-3 hours later it all came down to a tiny niggling bug taken from the link at the bottom of Geocasts post:

    Updated by Chris Buechler 4 months ago

    happened to encounter this with a support customer today. It appears a reload of strongswan doesn't correctly enable EAP_RADIUS, you have to restart or stop then start.

    Adam: if you reboot, or stop then start strongswan, does that work?

    #2  Updated by Randy Snow 3 months ago

    I wanted to jump in to say I just had this same issue on 2.3.2 today. Same log message and everything. Confirming you actually have to stop the process and then start it back up. The restart in the pfsense gui did not appear to remedy the issue.



  • Geocast had all the info, I should have looked at his whole post including the link to the bug report at the end.
    I could not see IPSEC (Mobile IKEv2) client auth attempts comming through to my RADIUS Server at all. It worked perfectly with EAP-MSCHAPv2 and local users though….
    Testing from Diagnostics  > Authentication  always worked and so did RADIUS auth with OpenVPN so I knew that NPS was set up correctly.
    2-3 hours later it all came down to a tiny niggling bug taken from the link at the bottom of Geocasts post:

    https://redmine.pfsense.org/issues/6481

    Updated by Chris Buechler 4 months ago

    happened to encounter this with a support customer today. It appears a reload of strongswan doesn't correctly enable EAP_RADIUS, you have to restart or stop then start.

    Adam: if you reboot, or stop then start strongswan, does that work?

    #2  Updated by Randy Snow 3 months ago

    I wanted to jump in to say I just had this same issue on 2.3.2 today. Same log message and everything. Confirming you actually have to stop the process and then start it back up. The restart in the pfsense gui did not appear to remedy the issue.


Log in to reply