Login issue with IPsec IKEv2 using Active Directory Authentication



  • I am kind of lost here and hoping someone can tell me what I am doing wrong.

    I am trying to setup a mobile IKEv2 system on my pfSense lab box. I started by following the instructions here; https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    In short everything works perfectly if I follow the instructions verbatim and use the "local database" for authentication. I assigned username and passwords using the EAP option in the Pre-Shared-Keys tab.

    Like I said that part works fine on all machines I have tested it on.

    What is not working is when I try to set the authentication database to use my AD server. I started by adding my AD server to the authentication servers under user management (see attachment).

    Next I set the mobile clients to use my AD server DC01 as the authentication database (see attachment).

    I do not have any pre-shared keys added, all previous keys are gone.

    When I go to my Win 7 VM and try to connect it keeps tell me my password is not correct. The same thing occurs on my Win 10 VM also.

    I have verified time and time again that the credentials are "mostly" correct. I say mostly because I know the account exists and I have the right username and password. However that is where I end.

    Can anyone please give me some assistance or even a clue of where the issue could look?

    Thanks!

    EDIT

    Here is the IPsec log from the firewall too.
    ![2015-12-09 19_22_55-DC01 - VMware Workstation.png](/public/imported_attachments/1/2015-12-09 19_22_55-DC01 - VMware Workstation.png)
    ![2015-12-09 19_22_55-DC01 - VMware Workstation.png_thumb](/public/imported_attachments/1/2015-12-09 19_22_55-DC01 - VMware Workstation.png_thumb)
    ![2015-12-09 19_25_17-DC01 - VMware Workstation.png](/public/imported_attachments/1/2015-12-09 19_25_17-DC01 - VMware Workstation.png)
    ![2015-12-09 19_25_17-DC01 - VMware Workstation.png_thumb](/public/imported_attachments/1/2015-12-09 19_25_17-DC01 - VMware Workstation.png_thumb)
    ![2015-12-09 19_28_01-Windows 7 - VMware Workstation.png](/public/imported_attachments/1/2015-12-09 19_28_01-Windows 7 - VMware Workstation.png)
    ![2015-12-09 19_28_01-Windows 7 - VMware Workstation.png_thumb](/public/imported_attachments/1/2015-12-09 19_28_01-Windows 7 - VMware Workstation.png_thumb)
    [ipsec log.txt](/public/imported_attachments/1/ipsec log.txt)



  • You cannot do what you're trying to do:
    https://forum.pfsense.org/index.php?topic=90753.msg504731#msg504731

    Install and setup NPS/IAS on your AD server. Add it as a RADIUS server to pfSense. Then use EAP-Radius for authentication.


Log in to reply