Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ipsec EAP-RADIUS not working since upgrade to 2.5.1

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 508 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Vanessa75015
      last edited by

      Hello community,
      Since i upgraded from 2.5.0 to 2.5.1 i got problem with my VPN.
      i can't connect anymore with my road warrior config ( EAP-RADIUS with NPS windows2016 backend from strongswan android client)

      It seems to be related with a GUI problem and configuration on the box.

      In the log i can see

      Apr 21 20:45:31 pfSense charon[90894]: 03[IKE] <con-mobile|9> received EAP identity 'Vanessa'
      Apr 21 20:45:31 pfSense charon[90894]: 03[IKE] <con-mobile|9> initiating EAP_TLS method (id 0xD4)

      isnt it supposed be calling the EAP_RADIUS ?
      It look like the pfsense do not proxy the EAP RADIUS request
      I do not see any packet to the radius server.

      Which file on the pfsense i could look to see what configuration it's really on the box?
      In the GUI i have "Authentification Method EAP-RADIUS" and in mobile client i have my radius server in user authentification select box.

      Regards

      1 Reply Last reply Reply Quote 0
      • V
        Vanessa75015
        last edited by

        i think i found the file:
        /var/etc/ipsec/swanctl.conf

        remote {
                        id = %any
                        eap_id = %any
                        auth = eap-radius
                }
        

        so it's seems ok.. but what it strange ( additionaly EAP-RADIUS dont work) is, when i change authentication method to EAP-TLS for example , it fail at begining IKE_SA_INIT with a
        no IKE config found for IP.OF.SER.VER... IP.OF.CL.IENT

        when i put back EAP-RADIUS i have
        found matching ike config: IP.OF.SER.VER...0.0.0.0/0

        i dont understand why ...

        I check diff of config file

        <       pools = radius-pool, radius
        84c83,84
        <               auth = eap-radius
        ---
        >               auth = eap-tls
        >               cacerts = /var/etc/ipsec/x509ca/1f70db87.0
        98,103d97
        <       }
        < }
        < pools {
        <       radius-pool : mobile-pool {
        <               subnet = 0.0.0.0/0
        <               split_include = 0.0.0.0/0
        
        V 1 Reply Last reply Reply Quote 0
        • V
          Vanessa75015 @Vanessa75015
          last edited by

          Ok.. I have to set a failback "Virtual Address Pool" and check the Radius IP address priority checkbox.

          It work.

          I suppose that because the upgrade... anyway.

          By the way, i also have a Site2Site ipsec connection to anothse pfsense.. and it doent come up.. and when i click connect , it just refresh the page with "
          Collecting IPsec status information." but nothing else happen.
          I saw there were a fix for a similar problem already included in the 2.5.1.. anyway i will try to see it's another subject.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.