Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 VPN not working with EAP-RADIUS

    Scheduled Pinned Locked Moved 2.3-RC Snapshot Feedback and Issues - ARCHIVED
    2 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stazis
      last edited by

      Hello,

      I'm using latest 2.3 snapshot and I was unable to get working IKEv2 VPN authentication with EAP-RADIUS.
      I have followed this tutorial https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS and authentication with MS-Chapv2 works perfectly but not with EAP-RADIUS.
      Here is the log file.

      eb 24 09:50:35 charon 04[IKE] <con1|4>received EAP identity 'test123'
      Feb 24 09:50:35 charon 04[IKE] <con1|4>loading EAP_RADIUS method failed
      Feb 24 09:50:35 charon 04[ENC] <con1|4>generating IKE_AUTH response 2 [ EAP/FAIL ]
      Feb 24 09:50:35 charon 04[NET] <con1|4>sending packet: from 79.105.217.187[4500] to 86.115.254.217[49918] (68 bytes)

      What can be the possible causes? Thank you!</con1|4></con1|4></con1|4></con1|4>

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It's working fine here. Was it working before and then stopped? What RADIUS server are you using? Anything in the RADIUS server log?

        The error you show is not what would normally be seen for a bad password, but looks more like EAP itself is failing between strongSwan and your RADIUS server.

        Here's a couple quick examples from my logs:

        • Bad password:
        Feb 25 08:06:12 	charon 		05[IKE] <con2|2>received EAP identity 'jimp'
        Feb 25 08:06:12 	charon 		05[CFG] <con2|2>RADIUS server 'radauth' is candidate: 210
        Feb 25 08:06:12 	charon 		05[CFG] <con2|2>sending RADIUS Access-Request to server 'radauth'
        Feb 25 08:06:12 	charon 		05[CFG] <con2|2>received RADIUS Access-Challenge from server 'radauth'
        Feb 25 08:06:12 	charon 		05[IKE] <con2|2>initiating EAP_MSCHAPV2 method (id 0x01)
        Feb 25 08:06:12 	charon 		10[CFG] <con2|2>sending RADIUS Access-Request to server 'radauth'
        Feb 25 08:06:13 	charon 		10[CFG] <con2|2>received RADIUS Access-Reject from server 'radauth'
        Feb 25 08:06:13 	charon 		10[IKE] <con2|2>RADIUS authentication of 'jimp' failed
        Feb 25 08:06:13 	charon 		10[IKE] <con2|2>EAP method EAP_MSCHAPV2 failed for peer 10.6.0.101</con2|2></con2|2></con2|2></con2|2></con2|2></con2|2></con2|2></con2|2></con2|2> 
        
        • Good password:
         Feb 25 08:06:32 	charon 		16[IKE] <con2|3>received EAP identity 'jimp'
        Feb 25 08:06:32 	charon 		16[CFG] <con2|3>RADIUS server 'radauth' is candidate: 210
        Feb 25 08:06:32 	charon 		16[CFG] <con2|3>sending RADIUS Access-Request to server 'radauth'
        Feb 25 08:06:32 	charon 		16[CFG] <con2|3>received RADIUS Access-Challenge from server 'radauth'
        Feb 25 08:06:32 	charon 		16[IKE] <con2|3>initiating EAP_MSCHAPV2 method (id 0x01)
        Feb 25 08:06:32 	charon 		10[CFG] <con2|3>sending RADIUS Access-Request to server 'radauth'
        Feb 25 08:06:32 	charon 		10[CFG] <con2|3>received RADIUS Access-Challenge from server 'radauth'
        Feb 25 08:06:32 	charon 		16[CFG] <con2|3>sending RADIUS Access-Request to server 'radauth'
        Feb 25 08:06:32 	charon 		16[CFG] <con2|3>received RADIUS Access-Accept from server 'radauth'
        Feb 25 08:06:32 	charon 		16[IKE] <con2|3>RADIUS authentication of 'jimp' successful
        Feb 25 08:06:32 	charon 		16[IKE] <con2|3>EAP method EAP_MSCHAPV2 succeeded, MSK established
        Feb 25 08:06:32 	charon 		06[IKE] <con2|3>authentication of '10.6.0.101' with EAP successful
        Feb 25 08:06:32 	charon 		06[IKE] <con2|3>authentication of 'shona.dw.example.com' (myself) with EAP
        Feb 25 08:06:32 	charon 		06[IKE] <con2|3>IKE_SA con2[3] established between 198.51.100.7[shona.dw.example.com]...198.51.100.6[10.6.0.101]</con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3> 
        

        In my IPsec log settings (VPN > IPsec, Settings tab) I have "IKE SA" and "IKE Child SA" set to Control and "Configuration Backend" set to Diag, which is why it's a bit chatty there.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.