On 05/14/2018 03:13 AM, Tobias Brunner wrote:
Hi Christian,
but what if the server stored the password in a sha256(md4(password))
hash and then when it received the md4 hash from the client, hashed that
with sha256 to compare to?
It doesn't receive the MD4 hash, which is only a part of the calculation
of EAP-MSCHAPv2 (the NT password hash). The actual value that's
transmitted (ChallengeResponse) and has to be verified (by doing the
same calculation) also incorporates random challenges (see RFC 2759 [1]
for details). Which is why the only thing you can store instead of the
plainttext password is the NT hash (ntlm secrets in swanctl.conf).
Greetings Tobias,
I am trying to get NTLM hashes stored in LDAP to be authenticated via
eap-radius. However, when I connect a Windows client (7 or 10), I see this
type of failure in the freeradius logs:
radius3 freeradius[23803]: Login Incorrect: [\\300\\250z+/] from client
vpn01 (mac=, cli=[IP deleted][4500], port=ikev2-mschapv2)
An incorrect login would normally have the form of:
Login Incorrect: [username/badpassword]
Any idea why Windows (or Strongswan) is sending garbage for the
username/password?
