[strongSwan] Authentication against Linux Users
Pete Ashdown
pashdown at xmission.com
Wed May 16 17:59:26 CEST 2018
On 5/16/18 7:12 AM, Phil Frost wrote:
> On Tue, May 15, 2018 at 10:00 PM Pete Ashdown <pashdown at xmission.com <mailto:pashdown at xmission.com>> wrote:
>
> I am trying to get NTLM hashes stored in LDAP to be authenticated via eap-radius. However, when I connect a Windows client (7 or 10), I see this type of failure in the freeradius logs:
>
> radius3 freeradius[23803]: Login Incorrect: [\\300\\250z+/] from client vpn01 (mac=, cli=[IP deleted][4500], port=ikev2-mschapv2)
>
> An incorrect login would normally have the form of:
>
> Login Incorrect: [username/badpassword]
>
> Any idea why Windows (or Strongswan) is sending garbage for the username/password?
>
>
> I have seen this, and I'm having a vague recollection! It's not entirely garbage, it's the client IP in binary, interpreted as a string.
>
> ord("\300") -> 192
> ord("\250") -> 168
> ord("z") -> 122
> ord("+") -> 43
>
> It's been a while, but I'm 65% sure this "garbage username" symptom is what you'll see if the EAP exchange between Strongswan and FreeRADIUS isn't working, and the garbage username is a red herring. I'd guess without a functional EAP exchange the real username is never exchanged, and so what you're seeing is some fallback.
>
> http://lists.freeradius.org/pipermail/freeradius-users/2018-March/090898.html
Thank you Phil. The odd thing here is that the proper username/password is exchanged with MacOS clients. I'm at a loss as to why the EAP exchange works for MacOS, but not Windows. So it isn't "never exchanged". I'll keep working on it. Is anyone else using StrongSwan eap-radius -> freeradius -> ldap and has a working setup?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180516/64965c1a/attachment.html>
More information about the Users
mailing list