Hi cshsysadmin,
>>Explicit Eap failure received
There are many reasons could cause “Explicit EAP failure received”. Usually we will first to collect the wireless logs by enabling logging with command “netsh ras set tracing * enable” and “netsh wlan set tracing mode=yes” at client when this issue
be reproduced and analyze entries in its corresponding logging file.And post the complet logs to us,it will be helpful to analyze.
>>I did notice her pc certificate is pointing to our old certificate authority but has not expired. Could it be a certificate issue?
It could be.Please try to give her certificate from the server you are using.
In addition,which authentication methods did you set to use in network or connection request policies that you defined in NPS server ? what OS is running on client ??
Here is some link for your reference:
A Support Guide for Wireless Diagnostics and Troubleshooting
http://technet.microsoft.com/en-us/library/bb457018.aspx
Authentication Problem on a 802.1x Wireless Network
http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx
Best Regards,
Cartman
Please remember to mark the replies as answers if they help and unmark them if they provide
no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
-
Помечено в качестве ответа
rdprice_cshco.com
28 марта 2016 г. 15:24
I’m back on this now Christmas is out of the way 
I had some default policies still enabled on my 2016 NPS Server, which I’ve disabled. They were:
Connection Request Policies > Use Windows authentication for all users.
Network Policies > Connections to other access servers.
Network Policies > Connections to Microsoft Routing and Remote Access server.
With those 3 disabled, I’m no longer getting the following Information level event logged in Event Viewer:
Reason code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Instead, I am now getting:
Reason code: 48
Reason: The connection request did not match any configured network policy.
I have 3 conditions set for the Staff WiFi Network Policy:
Condition: NAS Port Type, Value: Wireless — IEEE 802.11 OR Wireless — Other
Condition: User Groups, Value: MYDOMAINMeraki Staff Group
Condition: Machine Groups, Value: MYDOMAINMeraki Computer Group
The laptop I’m testing on is a member of the Meraki Computer Group, and the user account I’m logged on with belongs to the Meraki Staff Group.
I get a ‘Reason Code: 48’ event logged twice each time I try to connect; first for the user, then 10 seconds later for the machine:
————————————————————————————————————-
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: MYDOMAINElectroDan
Account Name: MYDOMAINElectroDan
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAINElectroDan
Client Machine:
Security ID: NULL SID
Account Name: —
Fully Qualified Account Name: —
Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C
NAS:
NAS IPv4 Address: 10.99.108.26
NAS IPv6 Address: —
NAS Identifier: —
NAS Port-Type: Wireless — IEEE 802.11
NAS Port: —
RADIUS Client:
Client Friendly Name: Meraki — Purchasing
Client IP Address: 10.99.108.26
Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: —
Authentication Provider: Windows
Authentication Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: —
Account Session Identifier: 41413346334133424138354636383335
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
————————————————————————————————————-
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: MYDOMAINITSPARE01$
Account Name: host/ITSPARE01.mydomain.local
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAINITSPARE01$
Client Machine:
Security ID: NULL SID
Account Name: —
Fully Qualified Account Name: —
Called Station Identifier: 9A-15-54-AB-56-2D:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C
NAS:
NAS IPv4 Address: 10.99.108.25
NAS IPv6 Address: —
NAS Identifier: —
NAS Port-Type: Wireless — IEEE 802.11
NAS Port: —
RADIUS Client:
Client Friendly Name: Meraki — Accounts
Client IP Address: 10.99.108.25
Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: —
Authentication Provider: Windows
Authentication Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: —
Account Session Identifier: 41433342464337434233394535444334
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
————————————————————————————————————-
A couple of things I’ve noticed.
1) The machine account (MYDOMAINITSPARE01$) is being listed in the User section, and the Client Machine section is empty.
2) The 2nd entry (for MYDOMAINITSPARE01$) is registering via a different AP (Meraki — Accounts). Both AP’s are within range of my test laptop.
Fun.
Not.
I am trying to get NPS (Running Windows Server 2008 R2) setup as a RADIUS server to authenticate my wireless clients (running Windows 7 Enterprise). When attempting this, I get the following in the event log on the DC/NPS:
— System
— Provider
[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}
EventID 36888
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
— TimeCreated
[ SystemTime] 2009-08-17T20:27:15.913829000Z
EventRecordID 136791
Correlation
— Execution
[ ProcessID] 540
[ ThreadID] 1748
Channel System
Computer DOMAINCONTROLLER.domain
— Security
[ UserID] S-1-5-18
— EventData
AlertDesc 20
ErrorState 960
And the following in the NPS log:
«DOMAINCONTROLLER»,»IAS»,08/18/2009,09:13:28,1,»DOMAINUSER»,»DOMAINuser»,»001c1011af08″,»001bfcb1bd23″,,,»001c1011af08″,»WAP IP»,47,0,»WAP IP»,»WAP Hostname»,,,19,,,,11,»Secure Wireless Connections»,0,»311 1 DOMAINCONTROLLERIP 08/17/2009 16:55:48 120″,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»Secure Wireless Connections»,1,,,,
«DOMAINCONTROLLER»,»IAS»,08/18/2009,09:13:28,3,,»DOMAINuser»,,,,,,,,0,»WAP IP»,»WAP Hostname»,,,,,,,11,»Secure Wireless Connections»,23,»311 1 DOMAINCONTROLLERIP 08/17/2009 16:55:48 120″,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»Secure Wireless Connections»,1,,,,
And the following in the client security log:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/18/2009 9:13:28 AM
Event ID: 5632
Task Category: Other Logon/Logoff Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: LAPTOP.domain
Description:
A request was made to authenticate to a wireless network.
Subject:
Security ID: DOMAINuser
Account Name: user
Account Domain: DOMAIN
Logon ID: 0x23e79
Network Information:
Name (SSID): DOMAIN-wlan
Interface GUID: {90952a3d-ac07-4f0d-9598-50afdea22da8}
Local MAC Address: 00:1B:FC:B1:BD:23
Peer MAC Address: 00:1C:10:11:AF:08
Additional Information:
Reason Code: Explicit Eap failure received (0x50005)
Error Code: 0x0
EAP Reason Code: 0x0
EAP Root Cause String:
EAP Error Code: 0x0
The client is receiving the root certificate that has an intended purpose of <All> according to the certificate MMC snap-in. Is there some other kind of certificate I need to issue, and if so, how? Also, if I’m reading the NPS log correctly I’m getting authentication type 11 and Result Code 23 neither of which show up in http://technet.microsoft.com/en-us/library/cc771748%28WS.10%29.aspx.
Very confused.
[SOLVED | See edit #2]
I saw another user have that issue on their school network back on build 10240, but I’m seeing it happen to me on the new fast ring build, 10565. Can anyone else confirm this? My event viewer is riddled with these errors after failing to connect:
Authentication failed for EAP method type 25. The error was 0x54F
and
EapHostPeerGetResult returned a failure.
Eap Method Friendly Name: Microsoft: Protected EAP (PEAP)
Reason code: 0
Root Cause String: NULL
Repair String: NULL
The guest network is fine, since there’s no authentication (obviously)
Is there a fix for this somewhere or will I have to resort to using ethernet/guest networking for the while?
(I hope MS fixes this soon… this is enterprise-breaking levels of bad)
Edit: Posted in the wrong sub, can someone help me fix this please? Made a new post linking to here for now: https://www.reddit.com/r/windowsinsiders/comments/3ort8f/8021x_peap_is_broken_with_wpa2enterprise_windows10/
Edit #2: I GOT IT! A Software Lead Designer at MS contacted me and he walked through the issue. The fix was to add a registry key:
reg add HKLMSYSTEMCurrentControlSetServicesRasManPPPEAP13 /v TlsVersion /t REG_DWORD /d 0xc0
following that, restart and try connecting again. Hopefully this helps someone else
Hi cshsysadmin,
>>Explicit Eap failure received
There are many reasons could cause “Explicit EAP failure received”. Usually we will first to collect the wireless logs by enabling logging with command “netsh ras set tracing * enable” and “netsh wlan set tracing mode=yes” at client when this issue
be reproduced and analyze entries in its corresponding logging file.And post the complet logs to us,it will be helpful to analyze.
>>I did notice her pc certificate is pointing to our old certificate authority but has not expired. Could it be a certificate issue?
It could be.Please try to give her certificate from the server you are using.
In addition,which authentication methods did you set to use in network or connection request policies that you defined in NPS server ? what OS is running on client ??
Here is some link for your reference:
A Support Guide for Wireless Diagnostics and Troubleshooting
http://technet.microsoft.com/en-us/library/bb457018.aspx
Authentication Problem on a 802.1x Wireless Network
http://blogs.technet.com/b/yuridiogenes/archive/2008/04/18/authentication-problem-on-a-802-1x-wireless-network.aspx
Best Regards,
Cartman
Please remember to mark the replies as answers if they help and unmark them if they provide
no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
-
Marked as answer by
rdprice_cshco.com
Monday, March 28, 2016 3:24 PM
I’m back on this now Christmas is out of the way
I had some default policies still enabled on my 2016 NPS Server, which I’ve disabled. They were:
Connection Request Policies > Use Windows authentication for all users.
Network Policies > Connections to other access servers.
Network Policies > Connections to Microsoft Routing and Remote Access server.
With those 3 disabled, I’m no longer getting the following Information level event logged in Event Viewer:
Reason code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Instead, I am now getting:
Reason code: 48
Reason: The connection request did not match any configured network policy.
I have 3 conditions set for the Staff WiFi Network Policy:
Condition: NAS Port Type, Value: Wireless — IEEE 802.11 OR Wireless — Other
Condition: User Groups, Value: MYDOMAINMeraki Staff Group
Condition: Machine Groups, Value: MYDOMAINMeraki Computer Group
The laptop I’m testing on is a member of the Meraki Computer Group, and the user account I’m logged on with belongs to the Meraki Staff Group.
I get a ‘Reason Code: 48’ event logged twice each time I try to connect; first for the user, then 10 seconds later for the machine:
————————————————————————————————————-
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: MYDOMAINElectroDan
Account Name: MYDOMAINElectroDan
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAINElectroDan
Client Machine:
Security ID: NULL SID
Account Name: —
Fully Qualified Account Name: —
Called Station Identifier: 9A-15-54-AB-52-67:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C
NAS:
NAS IPv4 Address: 10.99.108.26
NAS IPv6 Address: —
NAS Identifier: —
NAS Port-Type: Wireless — IEEE 802.11
NAS Port: —
RADIUS Client:
Client Friendly Name: Meraki — Purchasing
Client IP Address: 10.99.108.26
Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: —
Authentication Provider: Windows
Authentication Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: —
Account Session Identifier: 41413346334133424138354636383335
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
————————————————————————————————————-
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: MYDOMAINITSPARE01$
Account Name: host/ITSPARE01.mydomain.local
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAINITSPARE01$
Client Machine:
Security ID: NULL SID
Account Name: —
Fully Qualified Account Name: —
Called Station Identifier: 9A-15-54-AB-56-2D:Radius_Test
Calling Station Identifier: 84-3A-4B-56-F4-5C
NAS:
NAS IPv4 Address: 10.99.108.25
NAS IPv6 Address: —
NAS Identifier: —
NAS Port-Type: Wireless — IEEE 802.11
NAS Port: —
RADIUS Client:
Client Friendly Name: Meraki — Accounts
Client IP Address: 10.99.108.25
Authentication Details:
Connection Request Policy Name: WiFi_Staff
Network Policy Name: —
Authentication Provider: Windows
Authentication Server: DC03.mydomain.local
Authentication Type: EAP
EAP Type: —
Account Session Identifier: 41433342464337434233394535444334
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
————————————————————————————————————-
A couple of things I’ve noticed.
1) The machine account (MYDOMAINITSPARE01$) is being listed in the User section, and the Client Machine section is empty.
2) The 2nd entry (for MYDOMAINITSPARE01$) is registering via a different AP (Meraki — Accounts). Both AP’s are within range of my test laptop.
Fun.
Not.
I am trying to get NPS (Running Windows Server 2008 R2) setup as a RADIUS server to authenticate my wireless clients (running Windows 7 Enterprise). When attempting this, I get the following in the event log on the DC/NPS:
— System
— Provider
[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}
EventID 36888
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
— TimeCreated
[ SystemTime] 2009-08-17T20:27:15.913829000Z
EventRecordID 136791
Correlation
— Execution
[ ProcessID] 540
[ ThreadID] 1748
Channel System
Computer DOMAINCONTROLLER.domain
— Security
[ UserID] S-1-5-18
— EventData
AlertDesc 20
ErrorState 960
And the following in the NPS log:
«DOMAINCONTROLLER»,»IAS»,08/18/2009,09:13:28,1,»DOMAINUSER»,»DOMAINuser»,»001c1011af08″,»001bfcb1bd23″,,,»001c1011af08″,»WAP IP»,47,0,»WAP IP»,»WAP Hostname»,,,19,,,,11,»Secure Wireless Connections»,0,»311 1 DOMAINCONTROLLERIP 08/17/2009 16:55:48 120″,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»Secure Wireless Connections»,1,,,,
«DOMAINCONTROLLER»,»IAS»,08/18/2009,09:13:28,3,,»DOMAINuser»,,,,,,,,0,»WAP IP»,»WAP Hostname»,,,,,,,11,»Secure Wireless Connections»,23,»311 1 DOMAINCONTROLLERIP 08/17/2009 16:55:48 120″,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,»Secure Wireless Connections»,1,,,,
And the following in the client security log:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/18/2009 9:13:28 AM
Event ID: 5632
Task Category: Other Logon/Logoff Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: LAPTOP.domain
Description:
A request was made to authenticate to a wireless network.
Subject:
Security ID: DOMAINuser
Account Name: user
Account Domain: DOMAIN
Logon ID: 0x23e79
Network Information:
Name (SSID): DOMAIN-wlan
Interface GUID: {90952a3d-ac07-4f0d-9598-50afdea22da8}
Local MAC Address: 00:1B:FC:B1:BD:23
Peer MAC Address: 00:1C:10:11:AF:08
Additional Information:
Reason Code: Explicit Eap failure received (0x50005)
Error Code: 0x0
EAP Reason Code: 0x0
EAP Root Cause String:
EAP Error Code: 0x0
The client is receiving the root certificate that has an intended purpose of <All> according to the certificate MMC snap-in. Is there some other kind of certificate I need to issue, and if so, how? Also, if I’m reading the NPS log correctly I’m getting authentication type 11 and Result Code 23 neither of which show up in http://technet.microsoft.com/en-us/library/cc771748%28WS.10%29.aspx.
Very confused.
[SOLVED | See edit #2]
I saw another user have that issue on their school network back on build 10240, but I’m seeing it happen to me on the new fast ring build, 10565. Can anyone else confirm this? My event viewer is riddled with these errors after failing to connect:
Authentication failed for EAP method type 25. The error was 0x54F
and
EapHostPeerGetResult returned a failure.
Eap Method Friendly Name: Microsoft: Protected EAP (PEAP)
Reason code: 0
Root Cause String: NULL
Repair String: NULL
The guest network is fine, since there’s no authentication (obviously)
Is there a fix for this somewhere or will I have to resort to using ethernet/guest networking for the while?
(I hope MS fixes this soon… this is enterprise-breaking levels of bad)
Edit: Posted in the wrong sub, can someone help me fix this please? Made a new post linking to here for now: https://www.reddit.com/r/windowsinsiders/comments/3ort8f/8021x_peap_is_broken_with_wpa2enterprise_windows10/
Edit #2: I GOT IT! A Software Lead Designer at MS contacted me and he walked through the issue. The fix was to add a registry key:
reg add HKLMSYSTEMCurrentControlSetServicesRasManPPPEAP13 /v TlsVersion /t REG_DWORD /d 0xc0
following that, restart and try connecting again. Hopefully this helps someone else
Despite following a tutorial on how to get Strongswan to run on my Ubuntu machine, I am unable to get it to work on my Debian machine. I replicated all the steps from the tutorial except the firewall configuration at the bottom, which I omitted as it is not available on my server.
Upon attempting to establish a connection to my server, an error message indicating incorrect user data is displayed. Despite creating and installing three unique certificates and testing various user credentials, the same error message persists. I am uncertain of what error I am committing.
I assigned «My Debian Server IP» to the variable name MYIPADDRESS. Additionally, to differentiate each of the cert files I generated, I included the suffix «-vpn2» in their names.
ipsec statusall:
Status of IKE charon daemon (strongSwan 5.5.1, Linux 3.10.0-957.1.3.el7.x86_64, x86_64):
uptime: 42 seconds, since Sep 23 03:30:26 2019
malloc: sbrk 2699264, mmap 0, used 455168, free 2244096
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.10.10.0/24: 254/0/0
Listening IP addresses:
MYIPADDRESS
Connections:
ikev2-vpn: %any...%any IKEv2, dpddelay=300s
ikev2-vpn: local: [MYIPADDRESS] uses public key authentication
ikev2-vpn: cert: "CN=MYIPADDRESS"
ikev2-vpn: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-vpn: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
none
ipsec.secrets:
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created $
#include /var/lib/strongswan/ipsec.secrets.inc
: RSA "server-key-vpn2.pem"
user1 : EAP "hallo1234"
user2 : EAP "hallo1234"
ipsec.conf:
config setup
charondebug="ike 1, knl 1, cfg 2"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=MYIPADDRESS
leftcert=server-cert-vpn2.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
Exportet Cert:
cat /etc/ipsec.d/cacerts/ca-cert-vpn2.pem
The record retrieved is from the strongswan Android app, which was used by a user with the username «user2» and the password «hallo1234».
Sep 23 09:43:37 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Sep 23 09:43:37 00[DMN] Starting IKE service (strongSwan 5.8.0dr2, Android 9 - PKQ1.181121.001/2019-08-01, Mi 9T Pro - Xiaomi/raphael_eea/Xiaomi, Linux 4.14.83-perf-g7723fb1, aarch64)
Sep 23 09:43:37 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Sep 23 09:43:37 00[JOB] spawning 16 worker threads
Sep 23 09:43:37 07[IKE] initiating IKE_SA android[15] to MYIPADDRESS
Sep 23 09:43:37 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 09:43:37 07[NET] sending packet: from 10.105.74.60[44288] to MYIPADDRESS[500] (716 bytes)
Sep 23 09:43:37 10[NET] received packet: from MYIPADDRESS[500] to 10.105.74.60[44288] (38 bytes)
Sep 23 09:43:37 10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sep 23 09:43:37 10[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Sep 23 09:43:37 10[IKE] initiating IKE_SA android[15] to MYIPADDRESS
Sep 23 09:43:37 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 09:43:37 10[NET] sending packet: from 10.105.74.60[44288] to MYIPADDRESS[500] (1036 bytes)
Sep 23 09:43:38 12[NET] received packet: from MYIPADDRESS[500] to 10.105.74.60[44288] (592 bytes)
Sep 23 09:43:38 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sep 23 09:43:38 12[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Sep 23 09:43:38 12[IKE] local host is behind NAT, sending keep alives
Sep 23 09:43:38 12[IKE] remote host is behind NAT
Sep 23 09:43:38 12[IKE] sending cert request for "CN=VPN root CA"
Sep 23 09:43:38 12[IKE] establishing CHILD_SA android{15}
Sep 23 09:43:38 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 23 09:43:38 12[NET] sending packet: from 10.105.74.60[45106] to MYIPADDRESS[4500] (464 bytes)
Sep 23 09:43:38 08[NET] received packet: from MYIPADDRESS[4500] to 10.105.74.60[45106] (96 bytes)
Sep 23 09:43:38 08[ENC] parsed IKE_AUTH response 1 [ IDr EAP/FAIL ]
Sep 23 09:43:38 08[IKE] received EAP_FAILURE, EAP authentication failed
Sep 23 09:43:38 08[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Sep 23 09:43:38 08[NET] sending packet: from 10.105.74.60[45106] to MYIPADDRESS[4500] (80 bytes)
Edit:
I just tried this command:
ipsec up ikev2-vpn
unable to resolve %any, initiate aborted
tried to checkin and delete nonexisting IKE_SA
establishing connection 'ikev2-vpn' failed
car /var/log/syslog
Sep 23 04:17:42 Minecraft charon: 07[NET] received packet: from 195.37.108.234[38454] to MYIPADDRESS[500] (716 bytes)
Sep 23 04:17:42 Minecraft charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 04:17:42 Minecraft charon: 07[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 04:17:42 Minecraft charon: 07[IKE] remote host is behind NAT
Sep 23 04:17:42 Minecraft charon: 07[IKE] DH group ECP_256 inacceptable, requesting MODP_3072
Sep 23 04:17:42 Minecraft charon: 07[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sep 23 04:17:42 Minecraft charon: 07[NET] sending packet: from MYIPADDRESS[500] to 195.37.108.234[38454] (38 bytes)
Sep 23 04:17:42 Minecraft charon: 16[NET] received packet: from 195.37.108.234[38454] to MYIPADDRESS[500] (1036 bytes)
Sep 23 04:17:42 Minecraft charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 04:17:42 Minecraft charon: 16[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 04:17:42 Minecraft charon: 16[IKE] remote host is behind NAT
Sep 23 04:17:42 Minecraft charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sep 23 04:17:42 Minecraft charon: 16[NET] sending packet: from MYIPADDRESS[500] to 195.37.108.234[38454] (592 bytes)
Sep 23 04:17:42 Minecraft charon: 05[NET] received packet: from 195.37.108.234[41118] to MYIPADDRESS[4500] (464 bytes)
Sep 23 04:17:42 Minecraft charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 23 04:17:42 Minecraft charon: 05[IKE] received cert request for "CN=VPN root CA"
Sep 23 04:17:42 Minecraft charon: 05[CFG] looking for peer configs matching MYIPADDRESS[%any]...195.37.108.234[user]
Sep 23 04:17:42 Minecraft charon: 05[CFG] selected peer config 'ikev2-vpn'
Sep 23 04:17:42 Minecraft charon: 05[IKE] EAP-Identity request configured, but not supported
Sep 23 04:17:42 Minecraft charon: 05[IKE] loading EAP_MSCHAPV2 method failed
Sep 23 04:17:42 Minecraft charon: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 23 04:17:42 Minecraft charon: 05[IKE] peer supports MOBIKE
Sep 23 04:17:42 Minecraft charon: 05[ENC] generating IKE_AUTH response 1 [ IDr EAP/FAIL ]
Sep 23 04:17:42 Minecraft charon: 05[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[41118] (96 bytes)
cat /var/log/auth.log
Sep 23 03:55:13 Minecraft ipsec_starter[25750]: Starting strongSwan 5.5.1 IPsec [starter]...
Sep 23 03:55:13 Minecraft ipsec_starter[25750]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Sep 23 03:55:13 Minecraft ipsec_starter[25750]: no netkey IPsec stack detected
Sep 23 03:55:13 Minecraft ipsec_starter[25750]: no KLIPS IPsec stack detected
Sep 23 03:55:13 Minecraft ipsec_starter[25750]: no known IPsec stack detected, ignoring!
Sep 23 03:55:13 Minecraft ipsec_starter[25750]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
Sep 23 03:55:57 Minecraft charon: 04[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:55:59 Minecraft charon: 15[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:55:59 Minecraft charon: 06[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:10 Minecraft charon: 12[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:10 Minecraft charon: 11[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:15 Minecraft charon: 16[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:15 Minecraft charon: 05[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:20 Minecraft charon: 06[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:20 Minecraft charon: 10[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:26 Minecraft charon: 12[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 03:57:26 Minecraft charon: 11[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 04:17:42 Minecraft charon: 07[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 04:17:42 Minecraft charon: 16[IKE] 195.37.108.234 is initiating an IKE_SA
A line in the server log has been edited and it states:
At 04:17:42 on September 23rd, Minecraft’s charon reported a failure in loading the EAP_MSCHAPV2 method for authentication using IKE.
It appears to me that this is the cause. Does anyone have a solution to resolve this issue?
After editing, I modified the strongswan.conf file to include an additional line.
load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
Upon loading the ipsec statusall, I observed the EAP_MSCHAPV2 plugin, however, my attempt to connect resulted in the following message appearing in my syslog.
Sep 23 05:03:44 Minecraft charon: 14[NET] received packet: from 195.37.108.234[46425] to MYIPADDRESS[500] (716 bytes)
Sep 23 05:03:44 Minecraft charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 05:03:44 Minecraft charon: 14[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 05:03:44 Minecraft charon: 14[IKE] remote host is behind NAT
Sep 23 05:03:44 Minecraft charon: 14[IKE] DH group ECP_256 inacceptable, requesting MODP_3072
Sep 23 05:03:44 Minecraft charon: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sep 23 05:03:44 Minecraft charon: 14[NET] sending packet: from MYIPADDRESS[500] to 195.37.108.234[46425] (38 bytes)
Sep 23 05:03:44 Minecraft charon: 15[NET] received packet: from 195.37.108.234[46425] to MYIPADDRESS[500] (1036 bytes)
Sep 23 05:03:44 Minecraft charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 05:03:44 Minecraft charon: 15[IKE] 195.37.108.234 is initiating an IKE_SA
Sep 23 05:03:44 Minecraft charon: 15[IKE] remote host is behind NAT
Sep 23 05:03:44 Minecraft charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sep 23 05:03:44 Minecraft charon: 15[NET] sending packet: from MYIPADDRESS[500] to 195.37.108.234[46425] (592 bytes)
Sep 23 05:03:44 Minecraft charon: 10[NET] received packet: from 195.37.108.234[39639] to MYIPADDRESS[4500] (464 bytes)
Sep 23 05:03:44 Minecraft charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 23 05:03:44 Minecraft charon: 10[IKE] received cert request for "CN=VPN root CA"
Sep 23 05:03:44 Minecraft charon: 10[CFG] looking for peer configs matching MYIPADDRESS[%any]...195.37.108.234[user1]
Sep 23 05:03:44 Minecraft charon: 10[CFG] selected peer config 'ikev2-vpn'
Sep 23 05:03:44 Minecraft charon: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Sep 23 05:03:44 Minecraft charon: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 23 05:03:44 Minecraft charon: 10[IKE] peer supports MOBIKE
Sep 23 05:03:44 Minecraft charon: 10[IKE] authentication of 'MYIPADDRESS' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Sep 23 05:03:44 Minecraft charon: 10[IKE] sending end entity cert "CN=MYIPADDRESS"
Sep 23 05:03:44 Minecraft charon: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 23 05:03:44 Minecraft charon: 10[ENC] splitting IKE message with length of 1920 bytes into 2 fragments
Sep 23 05:03:44 Minecraft charon: 10[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Sep 23 05:03:44 Minecraft charon: 10[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Sep 23 05:03:44 Minecraft charon: 10[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[39639] (1236 bytes)
Sep 23 05:03:44 Minecraft charon: 10[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[39639] (756 bytes)
Sep 23 05:03:44 Minecraft charon: 06[NET] received packet: from 195.37.108.234[39639] to MYIPADDRESS[4500] (80 bytes)
Sep 23 05:03:44 Minecraft charon: 06[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 23 05:03:44 Minecraft charon: 06[IKE] received EAP identity 'user1'
Sep 23 05:03:44 Minecraft charon: 06[IKE] initiating EAP_MSCHAPV2 method (id 0xEC)
Sep 23 05:03:44 Minecraft charon: 06[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Sep 23 05:03:44 Minecraft charon: 06[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[39639] (112 bytes)
Sep 23 05:03:45 Minecraft charon: 04[NET] received packet: from 195.37.108.234[39639] to MYIPADDRESS[4500] (144 bytes)
Sep 23 05:03:45 Minecraft charon: 04[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Sep 23 05:03:45 Minecraft charon: 04[IKE] no EAP key found for hosts 'MYIPADDRESS' - 'user1'
Sep 23 05:03:45 Minecraft charon: 04[IKE] EAP-MS-CHAPv2 verification failed, retry (1)
Sep 23 05:03:47 Minecraft charon: 04[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Sep 23 05:03:47 Minecraft charon: 04[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[39639] (128 bytes)
Sep 23 05:03:47 Minecraft charon: 05[NET] received packet: from 195.37.108.234[39639] to MYIPADDRESS[4500] (144 bytes)
Sep 23 05:03:47 Minecraft charon: 05[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Sep 23 05:03:47 Minecraft charon: 05[IKE] received retransmit of request with ID 3, retransmitting response
Sep 23 05:03:47 Minecraft charon: 05[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[39639] (128 bytes)
Sep 23 05:03:47 Minecraft charon: 07[NET] received packet: from 195.37.108.234[39639] to MYIPADDRESS[4500] (80 bytes)
Sep 23 05:03:47 Minecraft charon: 07[ENC] parsed INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
Sep 23 05:03:47 Minecraft charon: 07[ENC] generating INFORMATIONAL response 4 [ N(AUTH_FAILED) ]
Sep 23 05:03:47 Minecraft charon: 07[NET] sending packet: from MYIPADDRESS[4500] to 195.37.108.234[39639] (80 bytes)
where the row
At 05:03:45 on September 23, Minecraft’s charon reported that there was no EAP key available for ‘user1’ at ‘MYIPADDRESS’.
It feels peculiar as this file is confidential.
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created $
#include /var/lib/strongswan/ipsec.secrets.inc
: RSA "server-key-vpn2.pem"
user1: EAP "1234"
user2 : EAP "hallo1234"
Following every configuration file modification, I execute
sudo systemctl restart strongswan
and
ipsec restart
.
New android log:
Sep 23 11:07:57 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Sep 23 11:07:57 00[DMN] Starting IKE service (strongSwan 5.8.0dr2, Android 9 - PKQ1.181121.001/2019-08-01, Mi 9T Pro - Xiaomi/raphael_eea/Xiaomi, Linux 4.14.83-perf-g7723fb1, aarch64)
Sep 23 11:07:57 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Sep 23 11:07:57 00[JOB] spawning 16 worker threads
Sep 23 11:07:57 11[IKE] initiating IKE_SA android[29] to MYIPADDRESS
Sep 23 11:07:57 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 11:07:57 11[NET] sending packet: from 10.105.74.60[49105] to MYIPADDRESS[500] (716 bytes)
Sep 23 11:07:57 12[NET] received packet: from MYIPADDRESS[500] to 10.105.74.60[49105] (38 bytes)
Sep 23 11:07:57 12[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sep 23 11:07:57 12[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Sep 23 11:07:57 12[IKE] initiating IKE_SA android[29] to MYIPADDRESS
Sep 23 11:07:57 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 23 11:07:57 12[NET] sending packet: from 10.105.74.60[49105] to MYIPADDRESS[500] (1036 bytes)
Sep 23 11:07:57 07[NET] received packet: from MYIPADDRESS[500] to 10.105.74.60[49105] (592 bytes)
Sep 23 11:07:57 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sep 23 11:07:57 07[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Sep 23 11:07:57 07[IKE] local host is behind NAT, sending keep alives
Sep 23 11:07:57 07[IKE] remote host is behind NAT
Sep 23 11:07:57 07[IKE] sending cert request for "CN=VPN root CA"
Sep 23 11:07:57 07[IKE] establishing CHILD_SA android{29}
Sep 23 11:07:57 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 23 11:07:57 07[NET] sending packet: from 10.105.74.60[49611] to MYIPADDRESS[4500] (464 bytes)
Sep 23 11:07:58 14[NET] received packet: from MYIPADDRESS[4500] to 10.105.74.60[49611] (1236 bytes)
Sep 23 11:07:58 14[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Sep 23 11:07:58 14[ENC] received fragment #1 of 2, waiting for complete IKE message
Sep 23 11:07:58 15[NET] received packet: from MYIPADDRESS[4500] to 10.105.74.60[49611] (756 bytes)
Sep 23 11:07:58 15[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Sep 23 11:07:58 15[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1920 bytes)
Sep 23 11:07:58 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sep 23 11:07:58 15[IKE] received end entity cert "CN=MYIPADDRESS"
Sep 23 11:07:58 15[CFG] using certificate "CN=MYIPADDRESS"
Sep 23 11:07:58 15[CFG] using trusted ca certificate "CN=VPN root CA"
Sep 23 11:07:58 15[CFG] checking certificate status of "CN=MYIPADDRESS"
Sep 23 11:07:58 15[CFG] certificate status is not available
Sep 23 11:07:58 15[CFG] reached self-signed root ca with a path length of 0
Sep 23 11:07:58 15[IKE] authentication of 'MYIPADDRESS' with RSA_EMSA_PKCS1_SHA2_384 successful
Sep 23 11:07:58 15[IKE] server requested EAP_IDENTITY (id 0x00), sending 'user1'
Sep 23 11:07:58 15[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 23 11:07:58 15[NET] sending packet: from 10.105.74.60[49611] to MYIPADDRESS[4500] (80 bytes)
Sep 23 11:07:58 11[NET] received packet: from MYIPADDRESS[4500] to 10.105.74.60[49611] (112 bytes)
Sep 23 11:07:58 11[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Sep 23 11:07:58 11[IKE] server requested EAP_MSCHAPV2 authentication (id 0x3C)
Sep 23 11:07:58 11[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Sep 23 11:07:58 11[NET] sending packet: from 10.105.74.60[49611] to MYIPADDRESS[4500] (144 bytes)
Sep 23 11:08:00 13[IKE] retransmit 1 of request with message ID 3
Sep 23 11:08:00 13[NET] sending packet: from 10.105.74.60[49611] to MYIPADDRESS[4500] (144 bytes)
Sep 23 11:08:00 07[NET] received packet: from MYIPADDRESS[4500] to 10.105.74.60[49611] (128 bytes)
Sep 23 11:08:00 07[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Sep 23 11:08:00 07[IKE] EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'
Sep 23 11:08:00 07[IKE] EAP_MSCHAPV2 method failed
Sep 23 11:08:00 07[ENC] generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
Sep 23 11:08:00 07[NET] sending packet: from 10.105.74.60[49611] to MYIPADDRESS[4500] (80 bytes)