multiotp with strongswan has no (ms)-chap-challenge

Alan DeKok aland at
Fri Mar 16 15:52:36 CET 2018

On Mar 16, 2018, at 2:11 PM, Phil Frost <phil at> wrote:
> When strongswan is configured to use the eap-radius plugin, there is no
> additional configuration for strongswan to indicate what EAP method should
> be used. Please excuse my ignorance as I'm still learning these things, but
> isn't the EAP protocol initiated by the authenticator, in this case
> strongswan, and by proxy, freeradius?


  EAP is initiated by Strongswan.  FreeRADIUS just receives what Strongswan is sending.

> From RFC 5996 (IKEv2), section 2.16:

  Utterly irrelevant.

> From what I can gather from the logs and packet captures, at this point
> strongswan sends an Access-Request to freeradius containing the identity
> but no credentials (because they don't yet exist). It's reasonable to then
> wonder if it's now the responsibility of freeradius to initiate the EAP
> exchange and request the peer to provide the necessary credentials.

  Not in your case.  There's no authentication attributes in the packet.

  i.e. no EAP-Message.  No User-Password.  No MS-CHAP-Password, etc.

  No amount of poking FreeRADIUS will cause Strongswan to add those attributes to the packet.  Only Strongswan can create those attributes.

> Is this not the case? Again please excuse the ignorance -- between IKEv2,
> RADIUS, EAP, all the various EAP methods, strongswan, freeradius, and each
> their myriad plugins, it's quite difficult to even understand how these
> protocols should be working together.

  The RADIUS client (e.g. Strongswan) creates things, and sends them to the RADIUS server.

> Even just a quick example of a
> working integration between strongswan and freeradius from someone who has
> done it before would be very valuable.

  FreeRADIUS will authenticate any known user.  It doesn't matter what the client is.  The client can be PPPoE, a WiFi access point, VPN, or Strongswan.  99.99% of the configuration of FreeRADIUS is *identical*:

- add a known user
- add a password for that user (ideally Cleartext-Password for testing)
- for EAP methods, add CA, server cert

  That's it for the *server side* of things.

  When I say *No amount of poking FreeRADIUS will magically create that attribute  Only Strongswan can do that.*... I really mean it.  Please don't respond with "but how do I configure FreeRADIUS..."  I already told you that you need to configure the *client*.

  Go ask the Strongswan people how to configure their software.  As soon as it's sending packets with EAP-Message or MS-CHAP-... attributes, then come back and ask us for help with FreeRADIUS.

  Until the client sends the right data, you're just wasting your time trying to muck with FreeRADIUS.  It won't help, and it will just get you confused.  Ignore FreeRADIUS and all of it's configuration.  Concentrate on Strongswan.

  Alan DeKok.

More information about the Freeradius-Users mailing list