0

I want to use ibsng (on centos 6) as a Radius server and manage my strongswan accounts (on centos 7).

https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius

I made these settings and set up the IP server and secret.

ibsng (centos 6): https://sourceforge.net/projects/ibs/files/IBSng/

In ibsng, I created a new ras with this type of "pppd"

And I gave him the strongswan and secret server IP(which is the client).

Now when I want to login with a username and password, I get an error 691 from the Windows connection and it doesn't connect.

but is see user successfull connection log in ibsng

He writes the same in strongswan logs:

05 [ENC] parsed IKE_AUTH request 2 [EAP / RES / ID] 05 [IKE] received EAP identity 'test55' 05 [CFG] sending RADIUS Access-Request to server 'server-a' 05 [CFG] received RADIUS Access-Accept from server 'server-a' 05 [IKE] RADIUS authentication of 'test55' failed 05 [IKE] initiating EAP_RADIUS method failed 05 [ENC] generating IKE_AUTH response 2 [EAP / FAIL]

I Attached a complete log file called charon.log. The strongswan settings file is attached with the same name as well as the ipsec settings

ibsng:

In ibsng, the user is logged in and successfully and is displayed in the online users section for a few seconds or minutes!

But also in the ibsng log an error is recorded

Ibsng error:

IBSException: Attribute Acct-Output-Octets not found in request packet

(One of the most important mistakes that was all logged in

In the ibs_error, log file, of course, this error log is not currently included in the attached file.)

One thing I found out for myself is that this Attribute Acct-Output-Octets request is not exciting from the ikev2 client (strongswan) side, and ibs gives an error and throw exception, so the answer to the successful login is not sent to the stronswan client!

Important note :

I connected the same strongswan server to freeradius and it worked properly on the dalorius web interface!

But I want to use ibsng as a radius server.

user3652881
  • 1
  • 1
  • Unless IBSng implements EAP via RADIUS, you won't be able to authenticate any IKEv2 clients. Also, the Acct-Output-Octets attribute is only sent in RADIUS Accounting messages (there is an [overview](https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Attributes-sent-to-RADIUS-servers) on the strongSwan wiki). – ecdsa May 19 '20 at 15:44
  • thank you, do you know how i can send custom radius attribute from strongswan to radius server ? https://wiki.strongswan.org/projects/strongswan/wiki/EAPRadius#Arbitrary-RADIUS-attribute-forwarding forward { ike_to_radius = Reply-Message, 11 radius_to_ike = 36906:12 } i find above setting, but i dont know how use it, for example i want set this attr NAS-Port-Type with value , how do it ? – user3652881 May 19 '20 at 20:44
  • That forwarding is from client to RADIUS server (first via IKE then via RADIUS), so that's something proprietary and probably not what you want. NAS-Port-Type is already sent (as you can see in the list), the value can't be changed without patching the _eap-radius_ plugin. – ecdsa May 20 '20 at 09:38
  • yes , i see that list, but i think my server need specific attr, but anyway thank you very much. – user3652881 May 20 '20 at 14:40

0 Answers0