Discussion:
[strongSwan] verification of AUTH payload without EAP MSK failed
Christian Salway
2018-07-10 06:57:02 UTC
Permalink
Why would it fail after getting an approved access from RADIUS

12[CFG] sending RADIUS Access-Request to server 'primary'
16[MGR] ignoring request with ID 5, already processing
09[MGR] ignoring request with ID 5, already processing
12[CFG] received RADIUS Access-Accept from server 'primary'
12[IKE] RADIUS authentication of 'test' successful
12[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established
12[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ]
12[NET] sending packet: from 172.31.19.40[4500] to 86.2.58.36[4500] (80 bytes)
06[NET] received packet: from 86.2.58.36[4500] to 172.31.19.40[4500] (112 bytes)
06[ENC] parsed IKE_AUTH request 6 [ AUTH ]
06[IKE] verification of AUTH payload without EAP MSK failed
06[ENC] generating IKE_AUTH response 6 [ N(AUTH_FAILED) ]
Christian Salway
2018-07-10 18:58:23 UTC
Permalink
Any ideas on this one guys? Can't find a solution and its stopped us proceeding. I've emailed Duo support who we use as a RADIUS proxy for MFA but no word back from them either.
Post by Christian Salway
Why would it fail after getting an approved access from RADIUS
12[CFG] sending RADIUS Access-Request to server 'primary'
16[MGR] ignoring request with ID 5, already processing
09[MGR] ignoring request with ID 5, already processing
12[CFG] received RADIUS Access-Accept from server 'primary'
12[IKE] RADIUS authentication of 'test' successful
12[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established
12[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ]
12[NET] sending packet: from 172.31.19.40[4500] to 86.2.58.36[4500] (80 bytes)
06[NET] received packet: from 86.2.58.36[4500] to 172.31.19.40[4500] (112 bytes)
06[ENC] parsed IKE_AUTH request 6 [ AUTH ]
06[IKE] verification of AUTH payload without EAP MSK failed
06[ENC] generating IKE_AUTH response 6 [ N(AUTH_FAILED) ]
Tobias Brunner
2018-07-11 09:54:56 UTC
Permalink
Hi Christian,
Post by Christian Salway
Why would it fail after getting an approved access from RADIUS
...
12[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established
If the EAP method is key-generating, which EAP-MSCHAPv2 is, the
authentication will not succeed without an MSK, which the RADIUS server
should provide in MS-MPPE-Send|Recv-Key attributes in the Access-Accept
message (see e.g. [1] for a note regarding older FreeRADIUS versions and
EAP-MSCHAPv2).

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/EAPRADIUS#RADIUS-servers
Christian Salway
2018-07-11 10:59:39 UTC
Permalink
Hi Tobias,

I found that paragraph just after writing my last email :)

The RADIUS Proxy is https://duo.com/docs/radius <https://duo.com/docs/radius> who have written back to me asking for logs so will see what they say.

Kind regards,

Christian Salway
IT Consultant - Naimuri

T: +44 7463 331432
E: ***@naimuri.com
A: Naimuri Ltd, Capstan House, Manchester M50 2UW
Post by Tobias Brunner
Hi Christian,
Post by Christian Salway
Why would it fail after getting an approved access from RADIUS
...
12[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established
If the EAP method is key-generating, which EAP-MSCHAPv2 is, the
authentication will not succeed without an MSK, which the RADIUS server
should provide in MS-MPPE-Send|Recv-Key attributes in the Access-Accept
message (see e.g. [1] for a note regarding older FreeRADIUS versions and
EAP-MSCHAPv2).
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/EAPRADIUS#RADIUS-servers
Loading...