eap-mschapv2 and MPPE keys

[Adam Schumacher]

I am trying to get an ike2 ipsec vpn to work on pfsense 2.3.2 (with strongswan 5.5) doing EAP-RADIUS to a FreeRadius server (2.2.9) that comes with Apple server (OS X 10.11).  All of the pieces are connected and communicating properly.  The pfsense is sending the eap-mschapv2 requests to freeradius and freeradius is sending back an Access-Accept.  However, the IKE_AUTH fails because there is no MSK.  Looking at the output of radiusd –X, I see that it is not sending back MS-MPPE-Send-Key/MS-MPPE-Recv-Key, even though use_mppe = yes in the mschap module config.  I’ve tried toggling require_encryption as well with no noticeable difference.  Does anyone have any ideas on how to get FreeRadius to send back the MPPE keys?  We had initially been doing this on an older apple server and I found a reference to a bug in freeradius where rlm_eap_mschap.c was stripping MPPE keys which was fixed in 2010 (#1).  As far as I can tell, the version of freeradius included in El Capitan is many versions newer and should already have this fix.  I can provide any logs/debug/config that may be needed to diagnose, but don’t want to just spam the list with piles of output that wouldn’t help.


::Adam



#1 http://lists.freeradius.org/pipermail/freeradius-users/2010-June/046977.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4694 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160929/3ea7bbae/attachment.bin>