Project

General

Profile

Actions

Bug #6481

open

loading EAP_RADIUS method failed

Added by Adam Thompson over 8 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
06/11/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.1
Affected Architecture:

Description

pfSense 2.3.1-RELEASE (i386)

Enabled EAP-MSCHAPv2 per https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2, got it working with a local test user.
Realized I can't authenticate against existing LDAP servers (this should be solvable with Hybrid+Xauth or EAP-TTLS, but that's a feature request, not a bug).
Ensured NPS was configured correctly on my domain controller.
Switched to EAP-RADIUS per https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS.
Failed to authenticate.
Observed this error in the system logs:

Jun 11 16:20:29 remote charon: 05[IKE] loading EAP_RADIUS method failed

but "ipsec listplugins" does show eap-radius as available.
"ipsec statusall" shows eap-radius as already loaded.

Turning up debug levels on the various IPsec components reveals nothing further: no matter what I do (short of rebooting, which I'm not going to do because I'm remote right now!) all I get is that "loading method failed" error.

And yes, I've restarted ipsec.

When I switch back to EAP-MSCHAPv2 and local authentication, the same section of the log looks like this:
Jun 11 16:40:29 remote charon: 13[IKE] <con1|1> initiating EAP_MSCHAPV2 method (id 0xA7)
Jun 11 16:40:29 remote charon: 13[ENC] <con1|1> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 11 16:40:29 remote charon: 13[NET] <con1|1> sending packet: from 205.200.228.1564500 to 99.241.214.20241486 (100 bytes)
Jun 11 16:40:29 remote charon: 13[NET] <con1|1> received packet: from 99.241.214.20241486 to 205.200.228.1564500 (132 bytes)
Jun 11 16:40:29 remote charon: 13[ENC] <con1|1> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun 11 16:40:29 remote charon: 13[ENC] <con1|1> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jun 11 16:40:29 remote charon: 13[NET] <con1|1> sending packet: from 205.200.228.1564500 to 99.241.214.20241486 (132 bytes)
Jun 11 16:40:29 remote charon: 13[NET] <con1|1> received packet: from 99.241.214.20241486 to 205.200.228.1564500 (68 bytes)
Jun 11 16:40:29 remote charon: 13[ENC] <con1|1> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jun 11 16:40:29 remote charon: 13[IKE] <con1|1> EAP method EAP_MSCHAPV2 succeeded, MSK established

Not 100% certain it's a bug, but looks like one from here. I'm not 100% sure the RADIUS server is configured correctly, but if not, I would hope to get more useful output than "failed to load". All the google hits are about Strongswan (duh...) and all of them refer to not having the correct modules built. But it's already loaded.

Confused.

Actions #1

Updated by Chris Buechler over 8 years ago

happened to encounter this with a support customer today. It appears a reload of strongswan doesn't correctly enable EAP_RADIUS, you have to restart or stop then start.

Adam: if you reboot, or stop then start strongswan, does that work?

Actions #2

Updated by Randy Snow over 8 years ago

I wanted to jump in to say I just had this same issue on 2.3.2 today. Same log message and everything. Confirming you actually have to stop the process and then start it back up. The restart in the pfsense gui did not appear to remedy the issue.

Actions #3

Updated by Gustav Aspeling over 7 years ago

Smallish update 2.3.2-RELEASE-p1 still suffers from the same problem.

Actions #4

Updated by Harry Gonzalez over 6 years ago

This bug is still present on the 2.4.3 release.

Actions #5

Updated by Friedrich Schnabel over 6 years ago

I can confirm the bug is still on 2.4.3.

Actions #6

Updated by Rafael Sant'Anna over 4 years ago

This bug keep in 2.4.4 release.

Actions

Also available in: Atom PDF