On Mar 21, 2020, at 9:23 PM, Sam T <givemesam@gmail.com> wrote:
I have been working hard at making our already wonderful freeradius implementation also work with some VPN radius functions. A lot of this is a bit over my head, but i am grasping it as i go. So far, this server config works great for user/pass on PPTP, L2TP, OpenVPN, Soft-ether AAA but I am getting stuck with IKEv2.
Ideally we can get ikev2 working on all devices, but it does require a lot of certificate work. I have been able to deal with the cert stuff from client, to router, and get the router to send the radius request, it comes back timeout. I tried it with also loading the cert chain in eap.conf but it didnt make a difference. i saw the <no User-Password attribute> in the radius.log either way.
And what does the debug log say?
I think the issue is with something with the password being sent from the router, maybe it is hashed, maybe it is not sent, but this is what i see in the radius.log:
Sun Mar 22 00:10:28 2020 : Auth: Login incorrect: [user123/<no User-Password attribute>] (from client wificpa port 0 cli 444.555.666.777)
Any idea where i should dig, or what i should do to see why we see user123/<no User-Password attribute>?
The debug output? Read http://wiki.freeradius.org/list-help
Is this the app not sending it, the router not sending it, or it arriving in some other attribute that radius is not listening for? (hashed, something specific for EAP?)
If it's EAP, then there may not be a User-Password. Again... see the debug log for more information.
I found that specifying the cert chain didnt make a difference when adding them in eap.conf, but here are some of those configs, and I will also include a -X:
Read http://wiki.freeradius.org/list-help We do NOT need to see configuration files. We DO need to see "radiusd -X" where it RECEIVES PACKETS. We do NOT need to see a debug output ending in:
Failed binding to authentication address * port 1812: Address already in use /etc/freeradius/radiusd.conf[20]: Error binding to port for 0.0.0.0 port 1812
That does not help at all.
Android StrongSwan verifies all the cert stuff is ok, but errors and logs: N(Auth_FAILED)
From router log:
You cannot debug a server issue by looking at the client logs. All of this is *extensively* documented. Follow the documentation. Post the information that the documentation says we need. Do NOT post random other things that the documentation says we do NOT need. Alan DeKok.