Closed c0nsumer closed 3 years ago
eap-mschapv2 authentication has no direct relation with user management as far as I know (it needs the raw password to work), see https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html#step-4-add-ipsec-users
At a first glance the system works as described in this case. (only confusing part is that you can still set a psk under the user, we should probably migrate those into the psk option at some time to avoid confusion.
Ahhhhh, got it. Because of how things were listed it looked like it should work, especially as many clients consider the EAP-MSCHAPV2 credentials a username/password and not a PSK. But I can also see how it is that.
Sounds like if I want something more traditional username/password then I need to use RADIUS as an intermediary.
Thanks!
close issue?
Sorry! Sure, closed.
Note: This issue may be similar to 4438, but I have more information.
Describe the bug
I have created an and set up an IPsec VPN for mobile clients with EAP-MSCHAPV2 authentication. Authentication fails for local users who appear like they should have access.
To Reproduce
2021-01-17T21:54:00 | charon[56124] | 09[IKE] <con1\|19> no EAP key found for hosts 'CN=blah.example.com' - 'username'
Expected behavior
I would expect that a user in the 'vpn' group would have access to the IPsec Mobile Client connection using its password via EAP-MSCHAPV2.
Additional context
In
/usr/local/etc/ipsec.secrets
I found the username listed, but with a PSK. This appears to be why EAP was failing. If I manually add an entry (eg:username : EAP "password"
) and reload the secrets (ipsec reload
) then authentication succeeds.If I delete the user from OPNsense and create Pre-Shared Key under IPsec with the username as Identifier, password as Pre-Shared Key and Type as EAP then authentication will succeed.
A few extra notes:
/usr/local/etc/ipsec.secrets
.)/usr/local/etc/ipsec.secrets
and authentication will still fail.Environment
OPNsense 20.7.7_1-amd64 FreeBSD 12.1-RELEASE-p11-HBSD OpenSSL 1.1.1i 8 Dec 2020