IPsec with EAP-MSCHAPv2 fails for iOS clients



  • Hey friends,
    I've been banging my head against the wall working on a EAP-MSCHAPv2 auth solution for iOS clients.
    I think I'm close, but something major keeps failing.

    I've got the encryption for P1 working. The problem is with EAP. Whatever I put in for the username becomes part of this error:
    no EAP key found for hosts 'myserver.myhost.cc' - 'MYUSER'

    So far, I haven't seen any requests actually hit my RADIUS server (which is what's selected in the mobile conf tab in pfSense as my identity server).

    If I remove user/pass and just use a PSK, it connects (doesn't pass traffic…but at least my P1 works).

    Anyone seen that error and have any tips for troubleshooting?

    in the logs below, I've changed my external DNS name to myserver.myhost.cc and I've changed my user's short name to MYUSER

    May 15 23:40:13	charon		12[ENC] <con5|27> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
    May 15 23:40:11	charon		12[IKE] <con5|27> EAP-MS-CHAPv2 verification failed, retry (1)
    May 15 23:40:11	charon		12[IKE] <con5|27> no EAP key found for hosts 'myserver.myhost.cc' - 'MYUSER'
    May 15 23:40:11	charon		12[ENC] <con5|27> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
    May 15 23:40:11	charon		12[NET] <con5|27> received packet: from 166.170.37.181[30218] to 157.131.xxx.yyy[4500] (144 bytes)
    May 15 23:40:11	charon		12[NET] <con5|27> sending packet: from 157.131.xxx.yyy[4500] to 166.170.37.181[30218] (112 bytes)
    May 15 23:40:11	charon		12[ENC] <con5|27> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
    May 15 23:40:11	charon		12[IKE] <con5|27> initiating EAP_MSCHAPV2 method (id 0x9A)
    May 15 23:40:11	charon		12[IKE] <con5|27> received EAP identity 'MYUSER'
    May 15 23:40:11	charon		12[ENC] <con5|27> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
    May 15 23:40:11	charon		12[NET] <con5|27> received packet: from 166.170.37.181[30218] to 157.131.xxx.yyy[4500] (96 bytes)
    May 15 23:40:11	charon		12[NET] <con5|27> sending packet: from 157.131.xxx.yyy[4500] to 166.170.37.181[30218] (452 bytes)
    May 15 23:40:11	charon		12[NET] <con5|27> sending packet: from 157.131.xxx.yyy[4500] to 166.170.37.181[30218] (1236 bytes)
    May 15 23:40:11	charon		12[ENC] <con5|27> generating IKE_AUTH response 1 [ EF(2/2) ]
    May 15 23:40:11	charon		12[ENC] <con5|27> generating IKE_AUTH response 1 [ EF(1/2) ]
    May 15 23:40:11	charon		12[ENC] <con5|27> splitting IKE message with length of 1616 bytes into 2 fragments
    May 15 23:40:11	charon		12[ENC] <con5|27> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    May 15 23:40:11	charon		12[IKE] <con5|27> sending end entity cert "C=US, ST=DC, L=Wshington, O=NSnet, E=nd@xxxxxx.zzz, CN=myserver.myhost.cc"
    May 15 23:40:11	charon		12[IKE] <con5|27> authentication of 'myserver.myhost.cc' (myself) with RSA signature successful
    May 15 23:40:11	charon		12[IKE] <con5|27> peer supports MOBIKE
    May 15 23:40:11	charon		12[IKE] <con5|27> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    May 15 23:40:11	charon		12[IKE] <con5|27> initiating EAP_IDENTITY method (id 0x00)
    May 15 23:40:11	charon		12[CFG] <con5|27> selected peer config 'con5'
    May 15 23:40:11	charon		12[CFG] <27> looking for peer configs matching 157.131.xxx.yyy[myserver.myhost.cc]...166.170.37.181[10.203.105.41]
    May 15 23:40:11	charon		12[ENC] <27> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]</con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27></con5|27>