Thank you for the advice. What you are trying to do: Get radius to work with mikrotik ikev2 authorization / client has self signed CA cert, Server has signed server + CA cert - why you are trying to do it: to add ikev2 radius auth while also supporting wifi authorization (which is working great) - what you expect the server to do: to accept user pass from mikrotik, and provide authorization reply w/ radreply attributes - what the server does instead (i.e. debug output). see output (my previous submission ran freeradius -X on top of a running server, this time i followed the instructions, here is 1 clean process of the ikev2 request) rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66, length=143 User-Name = "maxx09" Called-Station-Id = "444.555.666.777" Calling-Station-Id = "222.333.444.555" NAS-Port-Id = "\000\000\000\r" NAS-Port-Type = Virtual Service-Type = Framed-User Event-Timestamp = "Mar 22 2020 16:54:39 UTC" Framed-MTU = 1400 EAP-Message = 0x0200000b016d6178783039 Message-Authenticator = 0xa0d6653f0433fd6aaba395e394bb7def NAS-Identifier = "router01" NAS-IP-Address = 45.63.66.220 # Executing section authorize from file /etc/freeradius/sites-enabled/server01.rad +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "maxx09", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [sql] expand: %{User-Name} -> maxx09 [sql] sql_set_user escaped user --> 'maxx09' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = REPLACE('%{SQL-User-Name}',':','-') AND ExpDate >= now() ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = REPLACE('maxx09',':','-') AND ExpDate >= now() ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, UserName, REPLACE(Attribute,'Max-Octets','ChilliSpot-Max-Total-Octets') AS Attribute, Value, REPLACE(op,':=','=') AS op FROM radreply WHERE Username = REPLACE('%{SQL-User-Name}',':','-') ORDER BY id -> SELECT id, UserName, REPLACE(Attribute,'Max-Octets','ChilliSpot-Max-Total-Octets') AS Attribute, Value, REPLACE(op,':=','=') AS op FROM radreply WHERE Username = REPLACE('maxx09',':','-') ORDER BY id [sql] expand: SELECT GroupName FROM usergroup WHERE UserName=REPLACE('%{SQL-User-Name}',':','-') -> SELECT GroupName FROM usergroup WHERE UserName=REPLACE('maxx09',':','-') rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[dailycounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[monthlycounter] returns noop !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Login incorrect: [maxx09/<no User-Password attribute>] (from client wificpa port 0 cli 222.333.444.555) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66, length=143 Waiting to send Access-Reject to client wificpa port 40641 - ID: 66 Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66, length=143 Waiting to send Access-Reject to client wificpa port 40641 - ID: 66 Waking up in 0.3 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 66 to 45.63.66.220 port 40641 WISPr-Bandwidth-Max-Up = 200000000 WISPr-Bandwidth-Max-Down = 200000000 Acct-Interim-Interval = 300 Session-Timeout = 90000 Idle-Timeout = 90000 Mikrotik-Rate-Limit = "" WISPr-Session-Terminate-Time = "2021-03-31T08:00:00+00:00" Waking up in 4.9 seconds. Cleaning up request 0 ID 66 with timestamp +16 Ready to process requests. i ran one with non EAP, and it still gave this warning block, but it authorized, i think the issue is the password is not being sent? or its hashed somehow? (is that what EAP-message is?) this one is not ikev2. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. Login OK: [auth00/000000] (from client wificpa port 0) On Sun, Mar 22, 2020 at 6:00 AM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 21, 2020, at 9:23 PM, Sam T <givemesam@gmail.com> wrote:
I have been working hard at making our already wonderful freeradius implementation also work with some VPN radius functions. A lot of this
is a
bit over my head, but i am grasping it as i go. So far, this server config works great for user/pass on PPTP, L2TP, OpenVPN, Soft-ether AAA but I am getting stuck with IKEv2.
Ideally we can get ikev2 working on all devices, but it does require a lot of certificate work. I have been able to deal with the cert stuff from client, to router, and get the router to send the radius request, it comes back timeout. I tried it with also loading the cert chain in eap.conf but it didnt make a difference. i saw the <no User-Password attribute> in the radius.log either way.
And what does the debug log say?
I think the issue is with something with the password being sent from the router, maybe it is hashed, maybe it is not sent, but this is what i see in the radius.log:
Sun Mar 22 00:10:28 2020 : Auth: Login incorrect: [user123/<no User-Password attribute>] (from client wificpa port 0 cli 444.555.666.777)
Any idea where i should dig, or what i should do to see why we see user123/<no User-Password attribute>?
The debug output?
Read http://wiki.freeradius.org/list-help
Is this the app not sending it, the router not sending it, or it arriving in some other attribute that radius is not listening for? (hashed, something specific for EAP?)
If it's EAP, then there may not be a User-Password. Again... see the debug log for more information.
I found that specifying the cert chain didnt make a difference when adding them in eap.conf, but here are some of those configs, and I will also include a -X:
Read http://wiki.freeradius.org/list-help
We do NOT need to see configuration files. We DO need to see "radiusd -X" where it RECEIVES PACKETS. We do NOT need to see a debug output ending in:
Failed binding to authentication address * port 1812: Address already in use /etc/freeradius/radiusd.conf[20]: Error binding to port for 0.0.0.0 port 1812
That does not help at all.
Android StrongSwan verifies all the cert stuff is ok, but errors and logs: N(Auth_FAILED)
From router log:
You cannot debug a server issue by looking at the client logs.
All of this is *extensively* documented. Follow the documentation. Post the information that the documentation says we need. Do NOT post random other things that the documentation says we do NOT need.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html