search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.33k stars 745 forks source link

Local Authentication for IPsec Mobile Client VPN with EAP-MSCHAPV2 Fails #4613

Closed c0nsumer closed 3 years ago

c0nsumer commented 3 years ago

Note: This issue may be similar to 4438, but I have more information.

Describe the bug

I have created an and set up an IPsec VPN for mobile clients with EAP-MSCHAPV2 authentication. Authentication fails for local users who appear like they should have access.

To Reproduce

  1. Create a local user in OPNsense user with a PSK defined, make them a member of a group called 'vpn'.
  2. Enable IPsec Mobile Client Support and set Enforce local group to the 'vpn' group.
  3. Set up an IPsec tunnel for the mobile clients to use, with EAP-MSCHAPV2 for authentication on Phase 1.
  4. Attempt to connect and authentication will fail. Something akin to this will be logged in the IPsec Log File: 2021-01-17T21:54:00 | charon[56124] | 09[IKE] <con1\|19> no EAP key found for hosts 'CN=blah.example.com' - 'username'

Expected behavior

I would expect that a user in the 'vpn' group would have access to the IPsec Mobile Client connection using its password via EAP-MSCHAPV2.

Additional context

In /usr/local/etc/ipsec.secrets I found the username listed, but with a PSK. This appears to be why EAP was failing. If I manually add an entry (eg: username : EAP "password") and reload the secrets (ipsec reload) then authentication succeeds.

If I delete the user from OPNsense and create Pre-Shared Key under IPsec with the username as Identifier, password as Pre-Shared Key and Type as EAP then authentication will succeed.

A few extra notes:

Environment

OPNsense 20.7.7_1-amd64 FreeBSD 12.1-RELEASE-p11-HBSD OpenSSL 1.1.1i 8 Dec 2020

AdSchellevis commented 3 years ago

eap-mschapv2 authentication has no direct relation with user management as far as I know (it needs the raw password to work), see https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html#step-4-add-ipsec-users

At a first glance the system works as described in this case. (only confusing part is that you can still set a psk under the user, we should probably migrate those into the psk option at some time to avoid confusion.

c0nsumer commented 3 years ago

Ahhhhh, got it. Because of how things were listed it looked like it should work, especially as many clients consider the EAP-MSCHAPV2 credentials a username/password and not a PSK. But I can also see how it is that.

Sounds like if I want something more traditional username/password then I need to use RADIUS as an intermediary.

Thanks!

AdSchellevis commented 3 years ago

close issue?

c0nsumer commented 3 years ago

Sorry! Sure, closed.