Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec not looking to alternate databases for authentication

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 834 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      solignis
      last edited by

      I am hoping someone knows what is going on here.

      I have an IPsec mobile client configuration. I am using IKEv2 for the protocol and EAP-MSChapV2 as the authentication method.

      I wanted to use AD as my authentication backend so I setup a connection to my AD server and tested it with the diag tools. Everything came back as expected and I am able to use my AD credentials to login to the webGUI.

      I changed the mobile client authentication database over to AD and removed all existing EAP keys from the VPN config. No matter what I do my client (windows 10) come back saying that my password is no good. However if I add an EAP key to the local configuration with a different password for testing reasons the client connects using that password with no trouble.

      Based on that I am pretty sure the IPsec server is not even talking to AD and instead is just using the local database no matter what the option is set to.

      Has anyone else had this problem? I am currently running the 2.3-BETA but I have also seen this issue on the 2.2.6-RELEASE.

      It's not massively urgent or anything but I really need a clue on this if someone knows something.

      If it's a bug, is there anyway to override where StrongSwan authenticates from?

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That's just the nature of how it works at the moment for EAP-MSChapV2.

        1 Reply Last reply Reply Quote 0
        • S
          solignis
          last edited by

          I don't follow. Where is the problem? StrongSwan or pfSense?
          Is there anyway to patchwork something together? Assuming it will be resolved in the upcoming version.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            AFAIK, strongswan doesn't support any alternatives for auth for that type at this time.
            https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig

            EAP-RADIUS is probably a better choice with AD.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.