Hi Christian, > Why would it fail after getting an approved access from RADIUS > > ... > 12[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established
If the EAP method is key-generating, which EAP-MSCHAPv2 is, the authentication will not succeed without an MSK, which the RADIUS server should provide in MS-MPPE-Send|Recv-Key attributes in the Access-Accept message (see e.g. [1] for a note regarding older FreeRADIUS versions and EAP-MSCHAPv2). Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/EAPRADIUS#RADIUS-servers