When strongswan is configured to use the eap-radius plugin, there is no additional configuration for strongswan to indicate what EAP method should be used. Please excuse my ignorance as I'm still learning these things, but isn't the EAP protocol initiated by the authenticator, in this case strongswan, and by proxy, freeradius?
From RFC 5996 (IKEv2), section 2.16:
An initiator indicates a desire to use EAP by leaving out the AUTH payload from the first message in the IKE_AUTH exchange. (Note that the AUTH payload is required for non-EAP authentication, and is thus not marked as optional in the rest of this document.) By including an IDi payload but not an AUTH payload, the initiator has declared an identity but has not proven it. If the responder is willing to use an EAP method, it will place an Extensible Authentication Protocol (EAP) payload in the response of the IKE_AUTH exchange and defer sending SAr2, TSi, and TSr until initiator authentication is complete in a subsequent IKE_AUTH exchange.
From what I can gather from the logs and packet captures, at this point strongswan sends an Access-Request to freeradius containing the identity but no credentials (because they don't yet exist). It's reasonable to then wonder if it's now the responsibility of freeradius to initiate the EAP exchange and request the peer to provide the necessary credentials.
Is this not the case? Again please excuse the ignorance -- between IKEv2, RADIUS, EAP, all the various EAP methods, strongswan, freeradius, and each their myriad plugins, it's quite difficult to even understand how these protocols should be working together. Even just a quick example of a working integration between strongswan and freeradius from someone who has done it before would be very valuable. On Fri, Mar 16, 2018 at 9:29 AM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 16, 2018, at 5:10 AM, karthik kumar <kumarkarthikn@gmail.com> wrote:
I am setting up 2factor auth and we use Strongswan as our VPN server. I use FreeRADIUS as backend of Strongwan.
This is the setup mac osx (ikev2 with eap-mschapv2) ---> Strongswan ---> FreeRADIUS --> multiotp
First I tried with clear text password in /etc/raddb/users and it is successful. For 2factor I need to pair it with multiOTP. I followed the doc https://wiki.freeradius.org/guide/multiOTP-HOWTO ... But when I use Strongswan, there is no MS-CHAP-Challenge (i tried with %{mschap:Challenge})
Then fix Strongswan so that it sends the MS-CHAP-Challenge.
No amount of poking FreeRADIUS will magically create that attribute. Only Strongswan can do that.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html