[strongSwan] Authentication against Linux Users
pashdown at xmission.com
Wed May 16 00:00:29 CEST 2018
On 05/14/2018 03:13 AM, Tobias Brunner wrote:
> Hi Christian,
>> but what if the server stored the password in a sha256(md4(password))
>> hash and then when it received the md4 hash from the client, hashed that
>> with sha256 to compare to?
> It doesn't receive the MD4 hash, which is only a part of the calculation
> of EAP-MSCHAPv2 (the NT password hash). The actual value that's
> transmitted (ChallengeResponse) and has to be verified (by doing the
> same calculation) also incorporates random challenges (see RFC 2759 
> for details). Which is why the only thing you can store instead of the
> plainttext password is the NT hash (ntlm secrets in swanctl.conf).
I am trying to get NTLM hashes stored in LDAP to be authenticated via eap-radius. However, when I connect a Windows client (7 or 10), I see this type of failure in the freeradius logs:
radius3 freeradius: Login Incorrect: [\\300\\250z+/] from client vpn01 (mac=, cli=[IP deleted], port=ikev2-mschapv2)
An incorrect login would normally have the form of:
Login Incorrect: [username/badpassword]
Any idea why Windows (or Strongswan) is sending garbage for the username/password?
More information about the Users