[strongSwan] Authentication against Linux Users

Phil Frost phil at postmates.com
Wed May 16 15:12:23 CEST 2018

On Tue, May 15, 2018 at 10:00 PM Pete Ashdown <pashdown at xmission.com> wrote:

> I am trying to get NTLM hashes stored in LDAP to be authenticated via
> eap-radius.  However, when I connect a Windows client (7 or 10), I see this
> type of failure in the freeradius logs:
>      radius3 freeradius[23803]: Login Incorrect: [\\300\\250z+/] from
> client vpn01 (mac=, cli=[IP deleted][4500], port=ikev2-mschapv2)
> An incorrect login would normally have the form of:
>      Login Incorrect: [username/badpassword]
> Any idea why Windows (or Strongswan) is sending garbage for the
> username/password?

I have seen this, and I'm having a vague recollection! It's not entirely
garbage, it's the client IP in binary, interpreted as a string.

ord("\300") -> 192
ord("\250") -> 168
ord("z") -> 122
ord("+") -> 43

It's been a while, but I'm 65% sure this "garbage username" symptom is what
you'll see if the EAP exchange between Strongswan and FreeRADIUS isn't
working, and the garbage username is a red herring. I'd guess without a
functional EAP exchange the real username is never exchanged, and so what
you're seeing is some fallback.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180516/c248c590/attachment-0001.html>

More information about the Users mailing list