Strongswan integration, Access-Request contains no credentials?

Phil Frost phil at
Thu Mar 15 22:49:22 CET 2018

I'm attempting to configure an IKEv2 VPN which uses strongswan's eap-radius
plugin to delegate authentication to freeradius. I've configured freeradius
to authenticate against Active Directory by executing ntlm_auth, and I'm
hoping to use mschapv2 authentication.

I'm able to successfully authenticate with radtest:

radtest -x -t mschap phil.frost redacted 0 redacted
Sending Access-Request of id 193 to port 1812
  User-Name = "phil.frost"
  NAS-IP-Address =
  NAS-Port = 0
  Message-Authenticator = 0x00000000000000000000000000000000
  MS-CHAP-Challenge = redacted
  MS-CHAP-Response = redacted
rad_recv: Access-Accept packet from host port 1812, id=193,
  MS-CHAP-MPPE-Keys = redacted
  MS-MPPE-Encryption-Policy = redacted
  MS-MPPE-Encryption-Types = redacted

I'm also able to connect to the VPN if I use the eap-mschapv2 strongswan
plugin in lieu of eap-radius and configure a plaintext password in
strongswan's user database.

So it would appear the issue is the integration between the two. Should
strongswan be including the credentials? Or should freeradius be doing
something to indicate the VPN client should present them? I've learned many
ways things could work, but a hint at how they *should* work in this case
would very much help me narrow what's otherwise been a fruitless search
through a combinatorial explosion of RFCs and protocol options.

This seems to be the most salient part of the freeradius output. The
unabbridged debug output is attached.

rad_recv: Access-Request packet from host port 60479, id=236,
        User-Name = "phil.frost"
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 5
        NAS-Port-Id = "ikev2-vpn"
        NAS-IP-Address =
        Called-Station-Id = "[4500]"
        Calling-Station-Id = "[4500]"
        NAS-Identifier = "strongSwan"
        Message-Authenticator = redacted
# Executing section authorize from file
+group authorize {
++[preprocess] = ok
++[mschap] = noop
+} # group authorize = ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.

More information about the Freeradius-Users mailing list