Bug #6481
open
loading EAP_RADIUS method failed
0%
Description
pfSense 2.3.1-RELEASE (i386)
Enabled EAP-MSCHAPv2 per https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2, got it working with a local test user.
Realized I can't authenticate against existing LDAP servers (this should be solvable with Hybrid+Xauth or EAP-TTLS, but that's a feature request, not a bug).
Ensured NPS was configured correctly on my domain controller.
Switched to EAP-RADIUS per https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS.
Failed to authenticate.
Observed this error in the system logs:
Jun 11 16:20:29 remote charon: 05[IKE] loading EAP_RADIUS method failed
but "ipsec listplugins" does show eap-radius as available.
"ipsec statusall" shows eap-radius as already loaded.
Turning up debug levels on the various IPsec components reveals nothing further: no matter what I do (short of rebooting, which I'm not going to do because I'm remote right now!) all I get is that "loading method failed" error.
And yes, I've restarted ipsec.
When I switch back to EAP-MSCHAPv2 and local authentication, the same section of the log looks like this:
Jun 11 16:40:29 remote charon: 13[IKE] <con1|1> initiating EAP_MSCHAPV2 method (id 0xA7)
Jun 11 16:40:29 remote charon: 13[ENC] <con1|1> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 11 16:40:29 remote charon: 13[NET] <con1|1> sending packet: from 205.200.228.1564500 to 99.241.214.20241486 (100 bytes)
Jun 11 16:40:29 remote charon: 13[NET] <con1|1> received packet: from 99.241.214.20241486 to 205.200.228.1564500 (132 bytes)
Jun 11 16:40:29 remote charon: 13[ENC] <con1|1> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun 11 16:40:29 remote charon: 13[ENC] <con1|1> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jun 11 16:40:29 remote charon: 13[NET] <con1|1> sending packet: from 205.200.228.1564500 to 99.241.214.20241486 (132 bytes)
Jun 11 16:40:29 remote charon: 13[NET] <con1|1> received packet: from 99.241.214.20241486 to 205.200.228.1564500 (68 bytes)
Jun 11 16:40:29 remote charon: 13[ENC] <con1|1> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jun 11 16:40:29 remote charon: 13[IKE] <con1|1> EAP method EAP_MSCHAPV2 succeeded, MSK established
Not 100% certain it's a bug, but looks like one from here. I'm not 100% sure the RADIUS server is configured correctly, but if not, I would hope to get more useful output than "failed to load". All the google hits are about Strongswan (duh...) and all of them refer to not having the correct modules built. But it's already loaded.
Confused.
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by