Community discussions

 
Lemahasta
just joined
Topic Author
Posts: 5
Joined: Wed Dec 30, 2015 9:52 am

Ikev2 + eap radius

Tue Feb 21, 2017 10:26 pm

I did manage to get ikev2 with rsa signature running, but I'd much rather go for the eap radius authentication. I've been trying to make it work, but I can't seem to do it.

I'm tryng to connect using android with strongswan client. Using "certificate" works OK, but when I change to "eap login/password" (in android) and "auth: eap radius"I get error "AUTHENTICATION_FAILED"

routerOS v.6.38.1
In mikrotik log i see that router received proper username, and is relaying it to radius server, but then it fails with:

secret sring is empty
AUTH not matching

in radius logs I don't see any errors whatsoever - it receives correct username and authenticates it against local users-file.

Same user/password credentials with the same radius server work just fine when e.g. logging into the mikrotik via winbox.


only relevant part in ipsec config that I'm changing is
auth method: radius eap
in router when setting radius i did enable "ipsec".

everything works as soon as I change auth method to "rsa signature" and change (and of course in strongswan type from eap user/password to certificate).

If anyone has some tips how to properly configure ikev2 with eap radius I'd be glad to hear them, as I can't to figure it out on my own and don't see mikrotik-specific info in the wiki.
 
Vaxter
just joined
Posts: 8
Joined: Tue May 06, 2014 10:54 pm
Contact:

Re: Ikev2 + eap radius

Sun Mar 12, 2017 8:55 pm

After spending two days trying to figure this out, I have to admit defeat and bump this thread...
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Ikev2 + eap radius

Wed Mar 15, 2017 8:56 am

Upgrade to latest v6.39rc and then try. If it still fails contact support with attached supout file.
 
Vaxter
just joined
Posts: 8
Joined: Tue May 06, 2014 10:54 pm
Contact:

Re: Ikev2 + eap radius

Sun Mar 19, 2017 7:52 pm

Updated, but no luck...
Unfortunately I don't have support anymore, and I am not really into paying for support when I am sure that it was not my mistake with configuration.
Radius worked for PPTP, IKEv2 works with a certificate, but not with eap radius.
 
Lemahasta
just joined
Topic Author
Posts: 5
Joined: Wed Dec 30, 2015 9:52 am

Re: Ikev2 + eap radius

Mon Jun 05, 2017 1:40 pm

Right now I'm using 6.39 (stable) and eap-radius for ikev2 still doesn't seem to work. For sstp it works without any issues. For IKEV2 RADIUS server receives request, sents "acceps-accept", which Mikrotik receives (in MT log I clearly see "received access-accept" with all relevant data) but mikrotik for whatever reason throws out error then:
ipsec, error "no proposal chosen"

Windows client connecting receives error about rules mismatch.

As soon as I change from "eap radius" to "rsa signature" everything works perfectly - same windows client connects to same mikrotik device without any other config change.

I don't have any spare mikrotik devices to test any of the RC versions unfortunately.
 
Vaxter
just joined
Posts: 8
Joined: Tue May 06, 2014 10:54 pm
Contact:

Re: Ikev2 + eap radius

Mon Jun 05, 2017 1:41 pm

I have the latest RC, and same thing here.


Sent from my iPhone using Tapatalk
 
anesth
just joined
Posts: 9
Joined: Wed Nov 21, 2012 1:12 am

Re: Ikev2 + eap radius

Wed Oct 18, 2017 12:27 am

Hi,
Radius server must be properly configured.
Actually 'secret string is empty' is about MSK, Mikrotik want radius server to provide MSK (in MS-MPPE-Send-Key, MS-MPPE-Recv-Key attributes). So configure something like EAP-PEAP with MSCHAPv2 to authenticate client side with username and password or EAP-TLS (with reasonable subjAltName in certificate) for radius-based certificate authentication.
Works fine with strongswan for android (both EAP-TLS and EAP-PEAP/MSCHAPv2) and linux strongswan, didn't test it with windoz but think make it working is not a big deal.
 
thenoob
just joined
Posts: 22
Joined: Wed Mar 27, 2013 2:23 am

Re: Ikev2 + eap radius

Wed Jul 04, 2018 10:53 pm

this tread is as old as my grandma but hey i loved my grandma so i will resurect this with a simple : " config or it didn't happen" :P

seriously i would love to see how this is configured

i am trying to have a config that can log from android (ikev2 ) and windows (sstp/ ikev2) the only config i was able to run was pptp and l2tp and not behind nat
which is what i am trying to figure out .



client (router /nat ) ==> internet ==> mikrotik ( ikev2 +nat) ==> radius ==> ldap .... been scratching my head bald so i would love to have a export of config
:(
 
Lemahasta
just joined
Topic Author
Posts: 5
Joined: Wed Dec 30, 2015 9:52 am

Re: Ikev2 + eap radius

Mon Jul 09, 2018 2:49 pm

I did check again, if after any of the updates somehow magically it will start working, but no.

ROS 6.42.3, latest freeradius (3.0.17) and windows 10 (1803) client, everything looks the same.
IKEV2 with eap-only, using certificate signed by another self-signed (untrusted) CA.
CA is added to windows trusted store (local, computer, trusted CA).

When using "ikev2 rsa signature" everything works perfectly (windows client is using certificate then signed by the same CA).

When I switch to eap only I get errors:
in mikrotik it's "ipsec no proposal chosen"
in windows I see "rules mismatch"
Both errors seem pretty weird, since changing "rsa signature -> eap only" shouldn't be affecting at all "ipsec proposal", so maybe error is somewhere else, just doesn't show up in debug?

Authentication works perfectly (client passes credentials to mikrotik, mikrotik to radius, radius returns access-accept) and then it just fails with the errors as above.

Maybe there's something with certificate that needs to be changed, but then I'm not sure what.

I'd also love to see working "eap only" ikev2 configuration, just for /ipsec.
 
marwooj
newbie
Posts: 35
Joined: Mon Nov 06, 2017 10:44 am

Re: Ikev2 + eap radius

Mon Jul 16, 2018 11:25 pm

HI, would you point me to link with how to guide of ipsec for mobile users?

Who is online

Users browsing this forum: MSN [Bot] and 93 guests