StrongSwan IKEv2 - eap-radius - Auth Failing
Matthew Newton
mcn at freeradius.org
Wed Sep 15 22:41:27 CEST 2021
On 15/09/2021 21:28, Chris Myburgh wrote:
> Listening on acct address :: port 1813 bound to server default
> Ready to process requests
> (0) Received Access-Request Id 147 from 172.31.0.3:49093 to
> 172.31.0.2:1812 length 155
...
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_md5 to process data
> (0) eap_md5: Issuing MD5 Challenge
If the incoming request is always (or predominantly) mschapv2, you'll
save a round trip by updating the default eap type.
> (2) Received Access-Request Id 149 from 172.31.0.3:49093 to
> 172.31.0.2:1812 length 227
> (2) User-Name = "chris"
...
> (2) Message-Authenticator = 0x8382b4b312204426bfcb9822696d9ff1
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (2) authorize {
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 2 length 64
> (2) eap: No EAP Start, assuming it's an on-going EAP conversation
> (2) [eap] = updated
> (2) } # authorize = updated
> (2) Found Auth-Type = eap
...
> (2) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (2) eap: Calling submodule eap_mschapv2 to process data
> (2) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/default
> (2) eap_mschapv2: authenticate {
> (2) mschap: WARNING: No Cleartext-Password configured. Cannot create
> NT-Password
> (2) mschap: Creating challenge hash with username: chris
> (2) mschap: Client is using MS-CHAPv2
> (2) mschap: ERROR: FAILED: No NT-Password. Cannot perform authentication
> (2) mschap: ERROR: MS-CHAP2-Response is incorrect
> (2) eap_mschapv2: [mschap] = reject
> (2) eap_mschapv2: } # authenticate = reject
Here. You're calling eap, but haven't called sql beforehand, so the
attribute hasn't been added. (It's afterwards in the default config as
you normally want to short circuit on eap, but this is direct
eap-mschapv2, so there's no inner tunnel.)
Add a call to `sql` before the call to `eap` and you should get further.
--
Matthew
More information about the Freeradius-Users
mailing list