StrongSwan IKEv2 - eap-radius - Auth Failing

Chris Myburgh chris.myburgh1 at gmail.com
Wed Sep 15 21:40:42 CEST 2021 

Hi Freeradius Users

I am hoping you can help me.  I have been battling the past couple of
days getting StrongSwan (5.9.3) IKEv2 authentication by eap-radius to
work.

FreeRADIUS Version 3.0.23
............
............
............
| (5) eap: Expiring EAP session with state 0x98fe0da799fc17eb
| (5) eap: Finished EAP session with state 0x98fe0da799fc17eb
| (5) eap: Previous EAP request found for state 0x98fe0da799fc17eb,
released from the list
| (5) eap: Peer sent packet with method EAP MSCHAPv2 (26)
| (5) eap: Calling submodule eap_mschapv2 to process data
| (5) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/default
| (5) eap_mschapv2:   authenticate {
| (5) mschap: WARNING: No Cleartext-Password configured.  Cannot
create NT-Password
| (5) mschap: Creating challenge hash with username: chris
| (5) mschap: Client is using MS-CHAPv2
| (5) mschap: ERROR: FAILED: No NT-Password.  Cannot perform authentication
| (5) mschap: ERROR: MS-CHAP2-Response is incorrect
............
............
............
| (5)   } # Post-Auth-Type REJECT = updated
| (5) Login incorrect (mschap: FAILED: No NT-Password.  Cannot perform
authentication): [chris/<via Auth-Type = eap>] (from client
rad_clients port 8 cli 172.29.0.1[55829])
| (5) Delaying response for 1.000000 seconds
| Waking up in 0.6 seconds.

==================

Freeradius is using the MySQL driver (driver = "rlm_sql_mysql") and
the eap module is set to use md5 as the default (default_eap_type =
md5).

When I do radtests directly to radius, I receive "Access-Accept" for
PAP,CHAP & MSCHAP authentication types.

However, radtest authentication type eap-md5 also fails stating that
there is no cleartext-password in the radius logs.


My users in freeradius are configured in the radcheck table with the following:

------------------------------------------------------------------------------------
id    |   username   |   attribute                    |  op  |   value
================================================
1     |  chris            | Cleartext-Password   |   :=  |   chris12345
------------------------------------------------------------------------------------

I've been up and down the configuration, but I cannot seem to figure
it out.    To me it seems that when I use the eap for authentication,
it fails to lookup the radcheck table for the password.

Any assistance or additional information I can provide to help the
investigation?

TIA
__
Regards
Chris Myburgh

More information about the Freeradius-Users mailing list