i'm currently fighting with the eap-radius authentication with strongSwan clients. Windows clients are able to connect.
I set up the ipsec peer to use eap radius as authentication mode.
strongSwan output when trying to connect is:
Code: Select all
server requested EAP_IDENTITY (id0x00) sending '<username>'
EAP_IDENTITY not supported, sending EAP_NAKCode: Select all
ipsec,error bad EAP size
When i look the log message with the query to the radius server, i observed following:
When the windows client connects, ROS sends a radius authentication message which contains the username.
Code: Select all
Mar/08/2018 10:49:13 radius,debug,packet sending Access-Request with id 22 to 192.168.0.254:1812
Mar/08/2018 10:49:13 radius,debug,packet Signature = 0x5f35f987525aba97cf9bd0f7a0b4f7e6
Mar/08/2018 10:49:13 radius,debug,packet Called-Station-Id = "192.168.0.3"
Mar/08/2018 10:49:13 radius,debug,packet Calling-Station-Id = "192.168.0.1"
Mar/08/2018 10:49:13 radius,debug,packet User-Name = "sebastian"
Mar/08/2018 10:49:13 radius,debug,packet NAS-Port = 8
Mar/08/2018 10:49:13 radius,debug,packet NAS-Port-Id = 0x8000000a
Mar/08/2018 10:49:13 radius,debug,packet NAS-Port-Type = 5
Mar/08/2018 10:49:13 radius,debug,packet Service-Type = 2
Mar/08/2018 10:49:13 radius,debug,packet Framed-MTU = 1400
Mar/08/2018 10:49:13 radius,debug,packet State = 0x0196b4d10094ae0798d2777d7f57291d
Mar/08/2018 10:49:13 radius,debug,packet EAP-Message = 0x020200441a0202003f31cb3f92c527aa
Mar/08/2018 10:49:13 radius,debug,packet 398b06a04d0de65add5b000000000000
Mar/08/2018 10:49:13 radius,debug,packet 000038ddc4f6883d6648a6820b676c94
Mar/08/2018 10:49:13 radius,debug,packet cbb7e747103a6e124ffe007365626173
Mar/08/2018 10:49:13 radius,debug,packet 7469616e
Mar/08/2018 10:49:13 radius,debug,packet Message-Authenticator = 0x94cb4b78be2bc0ee14e9e5518f56e0c8
Mar/08/2018 10:49:13 radius,debug,packet NAS-Identifier = "MikroTik"
Mar/08/2018 10:49:13 radius,debug,packet NAS-IP-Address = 192.168.0.3Code: Select all
Mar/08/2018 10:50:04 radius,debug,packet sending Access-Request with id 24 to 192.168.0.254:1812
Mar/08/2018 10:50:04 radius,debug,packet Signature = 0x2e7e8eefb0187bd8f3517123593ed343
Mar/08/2018 10:50:04 radius,debug,packet Called-Station-Id = "192.168.0.3"
Mar/08/2018 10:50:04 radius,debug,packet Calling-Station-Id = "192.168.0.1"
Mar/08/2018 10:50:04 radius,debug,packet User-Name = ""
Mar/08/2018 10:50:04 radius,debug,packet NAS-Port = 8
Mar/08/2018 10:50:04 radius,debug,packet NAS-Port-Id = 0x8000000b
Mar/08/2018 10:50:04 radius,debug,packet NAS-Port-Type = 5
Mar/08/2018 10:50:04 radius,debug,packet Service-Type = 2
Mar/08/2018 10:50:04 radius,debug,packet Framed-MTU = 1400
Mar/08/2018 10:50:04 radius,debug,packet EAP-Message = 0x020000060300
Mar/08/2018 10:50:04 radius,debug,packet Message-Authenticator = 0x80bdbc91476090a7013dc3cbc490c03e
Mar/08/2018 10:50:04 radius,debug,packet NAS-Identifier = "MikroTik"
Mar/08/2018 10:50:04 radius,debug,packet NAS-IP-Address = 192.168.0.3
Was anybody able to create a IKEv2 based connection to a ROS with strongSwan on the client side, using eap radius as authentication mode?
I attached to log files to this post for further investigation. ipsec.0-windows.txt contains the successfull connection of an windows client. ipsec.0.-strongwan.txt contains the log for the failing connection attempt of the strongSwan client.
Thanks in advance.
Kind regards
Sebastian