[strongSwan] Authentication against Linux Users

Pete Ashdown pashdown at xmission.com
Wed May 16 00:00:29 CEST 2018

On 05/14/2018 03:13 AM, Tobias Brunner wrote:
> Hi Christian,
>> but what if the server stored the password in a sha256(md4(password))
>> hash and then when it received the md4 hash from the client, hashed that
>> with sha256 to compare to?
> It doesn't receive the MD4 hash, which is only a part of the calculation
> of EAP-MSCHAPv2 (the NT password hash).  The actual value that's
> transmitted (ChallengeResponse) and has to be verified (by doing the
> same calculation) also incorporates random challenges (see RFC 2759 [1]
> for details).  Which is why the only thing you can store instead of the
> plainttext password is the NT hash (ntlm secrets in swanctl.conf).

Greetings Tobias,
I am trying to get NTLM hashes stored in LDAP to be authenticated via eap-radius.  However, when I connect a Windows client (7 or 10), I see this type of failure in the freeradius logs:

     radius3 freeradius[23803]: Login Incorrect: [\\300\\250z+/] from client vpn01 (mac=, cli=[IP deleted][4500], port=ikev2-mschapv2)

An incorrect login would normally have the form of:

     Login Incorrect: [username/badpassword]

Any idea why Windows (or Strongswan) is sending garbage for the username/password?

More information about the Users mailing list