ipsec EAP-RADIUS not working since upgrade to 2.5.1
-
Hello community,
Since i upgraded from 2.5.0 to 2.5.1 i got problem with my VPN.
i can't connect anymore with my road warrior config ( EAP-RADIUS with NPS windows2016 backend from strongswan android client)It seems to be related with a GUI problem and configuration on the box.
In the log i can see
Apr 21 20:45:31 pfSense charon[90894]: 03[IKE] <con-mobile|9> received EAP identity 'Vanessa'
Apr 21 20:45:31 pfSense charon[90894]: 03[IKE] <con-mobile|9> initiating EAP_TLS method (id 0xD4)isnt it supposed be calling the EAP_RADIUS ?
It look like the pfsense do not proxy the EAP RADIUS request
I do not see any packet to the radius server.Which file on the pfsense i could look to see what configuration it's really on the box?
In the GUI i have "Authentification Method EAP-RADIUS" and in mobile client i have my radius server in user authentification select box.Regards
-
i think i found the file:
/var/etc/ipsec/swanctl.confremote { id = %any eap_id = %any auth = eap-radius }
so it's seems ok.. but what it strange ( additionaly EAP-RADIUS dont work) is, when i change authentication method to EAP-TLS for example , it fail at begining IKE_SA_INIT with a
no IKE config found for IP.OF.SER.VER... IP.OF.CL.IENTwhen i put back EAP-RADIUS i have
found matching ike config: IP.OF.SER.VER...0.0.0.0/0i dont understand why ...
I check diff of config file
< pools = radius-pool, radius 84c83,84 < auth = eap-radius --- > auth = eap-tls > cacerts = /var/etc/ipsec/x509ca/1f70db87.0 98,103d97 < } < } < pools { < radius-pool : mobile-pool { < subnet = 0.0.0.0/0 < split_include = 0.0.0.0/0
-
Ok.. I have to set a failback "Virtual Address Pool" and check the Radius IP address priority checkbox.
It work.
I suppose that because the upgrade... anyway.
By the way, i also have a Site2Site ipsec connection to anothse pfsense.. and it doent come up.. and when i click connect , it just refresh the page with "
Collecting IPsec status information." but nothing else happen.
I saw there were a fix for a similar problem already included in the 2.5.1.. anyway i will try to see it's another subject.