IKEv2 VPN not working with EAP-RADIUS



  • Hello,

    I'm using latest 2.3 snapshot and I was unable to get working IKEv2 VPN authentication with EAP-RADIUS.
    I have followed this tutorial https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS and authentication with MS-Chapv2 works perfectly but not with EAP-RADIUS.
    Here is the log file.

    eb 24 09:50:35 charon 04[IKE] <con1|4>received EAP identity 'test123'
    Feb 24 09:50:35 charon 04[IKE] <con1|4>loading EAP_RADIUS method failed
    Feb 24 09:50:35 charon 04[ENC] <con1|4>generating IKE_AUTH response 2 [ EAP/FAIL ]
    Feb 24 09:50:35 charon 04[NET] <con1|4>sending packet: from 79.105.217.187[4500] to 86.115.254.217[49918] (68 bytes)

    What can be the possible causes? Thank you!</con1|4></con1|4></con1|4></con1|4>


  • Rebel Alliance Developer Netgate

    It's working fine here. Was it working before and then stopped? What RADIUS server are you using? Anything in the RADIUS server log?

    The error you show is not what would normally be seen for a bad password, but looks more like EAP itself is failing between strongSwan and your RADIUS server.

    Here's a couple quick examples from my logs:

    • Bad password:
    Feb 25 08:06:12 	charon 		05[IKE] <con2|2>received EAP identity 'jimp'
    Feb 25 08:06:12 	charon 		05[CFG] <con2|2>RADIUS server 'radauth' is candidate: 210
    Feb 25 08:06:12 	charon 		05[CFG] <con2|2>sending RADIUS Access-Request to server 'radauth'
    Feb 25 08:06:12 	charon 		05[CFG] <con2|2>received RADIUS Access-Challenge from server 'radauth'
    Feb 25 08:06:12 	charon 		05[IKE] <con2|2>initiating EAP_MSCHAPV2 method (id 0x01)
    Feb 25 08:06:12 	charon 		10[CFG] <con2|2>sending RADIUS Access-Request to server 'radauth'
    Feb 25 08:06:13 	charon 		10[CFG] <con2|2>received RADIUS Access-Reject from server 'radauth'
    Feb 25 08:06:13 	charon 		10[IKE] <con2|2>RADIUS authentication of 'jimp' failed
    Feb 25 08:06:13 	charon 		10[IKE] <con2|2>EAP method EAP_MSCHAPV2 failed for peer 10.6.0.101</con2|2></con2|2></con2|2></con2|2></con2|2></con2|2></con2|2></con2|2></con2|2> 
    
    • Good password:
     Feb 25 08:06:32 	charon 		16[IKE] <con2|3>received EAP identity 'jimp'
    Feb 25 08:06:32 	charon 		16[CFG] <con2|3>RADIUS server 'radauth' is candidate: 210
    Feb 25 08:06:32 	charon 		16[CFG] <con2|3>sending RADIUS Access-Request to server 'radauth'
    Feb 25 08:06:32 	charon 		16[CFG] <con2|3>received RADIUS Access-Challenge from server 'radauth'
    Feb 25 08:06:32 	charon 		16[IKE] <con2|3>initiating EAP_MSCHAPV2 method (id 0x01)
    Feb 25 08:06:32 	charon 		10[CFG] <con2|3>sending RADIUS Access-Request to server 'radauth'
    Feb 25 08:06:32 	charon 		10[CFG] <con2|3>received RADIUS Access-Challenge from server 'radauth'
    Feb 25 08:06:32 	charon 		16[CFG] <con2|3>sending RADIUS Access-Request to server 'radauth'
    Feb 25 08:06:32 	charon 		16[CFG] <con2|3>received RADIUS Access-Accept from server 'radauth'
    Feb 25 08:06:32 	charon 		16[IKE] <con2|3>RADIUS authentication of 'jimp' successful
    Feb 25 08:06:32 	charon 		16[IKE] <con2|3>EAP method EAP_MSCHAPV2 succeeded, MSK established
    Feb 25 08:06:32 	charon 		06[IKE] <con2|3>authentication of '10.6.0.101' with EAP successful
    Feb 25 08:06:32 	charon 		06[IKE] <con2|3>authentication of 'shona.dw.example.com' (myself) with EAP
    Feb 25 08:06:32 	charon 		06[IKE] <con2|3>IKE_SA con2[3] established between 198.51.100.7[shona.dw.example.com]...198.51.100.6[10.6.0.101]</con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3></con2|3> 
    

    In my IPsec log settings (VPN > IPsec, Settings tab) I have "IKE SA" and "IKE Child SA" set to Control and "Configuration Backend" set to Diag, which is why it's a bit chatty there.