Page 1 of 1

IKEv2 EAP-MsCHAPv2 issues with strongSwan

Posted: Thu Mar 08, 2018 12:05 pm
by seho
Hi to all,

i'm currently fighting with the eap-radius authentication with strongSwan clients. Windows clients are able to connect.

I set up the ipsec peer to use eap radius as authentication mode.

strongSwan output when trying to connect is:
server requested EAP_IDENTITY (id0x00) sending '<username>'
EAP_IDENTITY not supported, sending EAP_NAK
The Log on the MikroTik shows:
ipsec,error     bad EAP size
. And I have enabled logging for ipsec and radius topics.

When i look the log message with the query to the radius server, i observed following:
When the windows client connects, ROS sends a radius authentication message which contains the username.
Mar/08/2018 10:49:13 radius,debug,packet sending Access-Request with id 22 to 192.168.0.254:1812
Mar/08/2018 10:49:13 radius,debug,packet     Signature = 0x5f35f987525aba97cf9bd0f7a0b4f7e6
Mar/08/2018 10:49:13 radius,debug,packet     Called-Station-Id = "192.168.0.3"
Mar/08/2018 10:49:13 radius,debug,packet     Calling-Station-Id = "192.168.0.1"
Mar/08/2018 10:49:13 radius,debug,packet     User-Name = "sebastian"
Mar/08/2018 10:49:13 radius,debug,packet     NAS-Port = 8
Mar/08/2018 10:49:13 radius,debug,packet     NAS-Port-Id = 0x8000000a
Mar/08/2018 10:49:13 radius,debug,packet     NAS-Port-Type = 5
Mar/08/2018 10:49:13 radius,debug,packet     Service-Type = 2
Mar/08/2018 10:49:13 radius,debug,packet     Framed-MTU = 1400
Mar/08/2018 10:49:13 radius,debug,packet     State = 0x0196b4d10094ae0798d2777d7f57291d
Mar/08/2018 10:49:13 radius,debug,packet     EAP-Message = 0x020200441a0202003f31cb3f92c527aa
Mar/08/2018 10:49:13 radius,debug,packet       398b06a04d0de65add5b000000000000
Mar/08/2018 10:49:13 radius,debug,packet       000038ddc4f6883d6648a6820b676c94
Mar/08/2018 10:49:13 radius,debug,packet       cbb7e747103a6e124ffe007365626173
Mar/08/2018 10:49:13 radius,debug,packet       7469616e
Mar/08/2018 10:49:13 radius,debug,packet     Message-Authenticator = 0x94cb4b78be2bc0ee14e9e5518f56e0c8
Mar/08/2018 10:49:13 radius,debug,packet     NAS-Identifier = "MikroTik"
Mar/08/2018 10:49:13 radius,debug,packet     NAS-IP-Address = 192.168.0.3
When the strongSwan client connects, the radius authentication message contains no user name.
Mar/08/2018 10:50:04 radius,debug,packet sending Access-Request with id 24 to 192.168.0.254:1812
Mar/08/2018 10:50:04 radius,debug,packet     Signature = 0x2e7e8eefb0187bd8f3517123593ed343
Mar/08/2018 10:50:04 radius,debug,packet     Called-Station-Id = "192.168.0.3"
Mar/08/2018 10:50:04 radius,debug,packet     Calling-Station-Id = "192.168.0.1"
Mar/08/2018 10:50:04 radius,debug,packet     User-Name = ""
Mar/08/2018 10:50:04 radius,debug,packet     NAS-Port = 8
Mar/08/2018 10:50:04 radius,debug,packet     NAS-Port-Id = 0x8000000b
Mar/08/2018 10:50:04 radius,debug,packet     NAS-Port-Type = 5
Mar/08/2018 10:50:04 radius,debug,packet     Service-Type = 2
Mar/08/2018 10:50:04 radius,debug,packet     Framed-MTU = 1400
Mar/08/2018 10:50:04 radius,debug,packet     EAP-Message = 0x020000060300
Mar/08/2018 10:50:04 radius,debug,packet     Message-Authenticator = 0x80bdbc91476090a7013dc3cbc490c03e
Mar/08/2018 10:50:04 radius,debug,packet     NAS-Identifier = "MikroTik"
Mar/08/2018 10:50:04 radius,debug,packet     NAS-IP-Address = 192.168.0.3
This behaviour let me assume that there is something wrong with the processing of the eap_identity.

Was anybody able to create a IKEv2 based connection to a ROS with strongSwan on the client side, using eap radius as authentication mode?

I attached to log files to this post for further investigation. ipsec.0-windows.txt contains the successfull connection of an windows client. ipsec.0.-strongwan.txt contains the log for the failing connection attempt of the strongSwan client.

Thanks in advance.

Kind regards
Sebastian

Re: IKEv2 EAP-MsCHAPv2 issues with strongSwan  [SOLVED]

Posted: Thu Mar 08, 2018 3:50 pm
by seho
I finally found the solution. It doesn't had anything to do with MikroTik Router itself.

The StrongSWAN eap-mschapv2 plugin was missing.

Installing the libcharon-extra-plugins package fixed the problem.

Kind regards,
Sebastian