On 5/16/18 7:12 AM, Phil Frost wrote: > On Tue, May 15, 2018 at 10:00 PM Pete Ashdown <[email protected] > <mailto:[email protected]>> wrote: > > I am trying to get NTLM hashes stored in LDAP to be authenticated via > eap-radius. However, when I connect a Windows client (7 or 10), I see this > type of failure in the freeradius logs: > > radius3 freeradius[23803]: Login Incorrect: [\\300\\250z+/] from > client vpn01 (mac=, cli=[IP deleted][4500], port=ikev2-mschapv2) > > An incorrect login would normally have the form of: > > Login Incorrect: [username/badpassword] > > Any idea why Windows (or Strongswan) is sending garbage for the > username/password? > > > I have seen this, and I'm having a vague recollection! It's not entirely > garbage, it's the client IP in binary, interpreted as a string. > > ord("\300") -> 192 > ord("\250") -> 168 > ord("z") -> 122 > ord("+") -> 43 > > It's been a while, but I'm 65% sure this "garbage username" symptom is what > you'll see if the EAP exchange between Strongswan and FreeRADIUS isn't > working, and the garbage username is a red herring. I'd guess without a > functional EAP exchange the real username is never exchanged, and so what > you're seeing is some fallback. > > http://lists.freeradius.org/pipermail/freeradius-users/2018-March/090898.html
Thank you Phil. The odd thing here is that the proper username/password is exchanged with MacOS clients. I'm at a loss as to why the EAP exchange works for MacOS, but not Windows. So it isn't "never exchanged". I'll keep working on it. Is anyone else using StrongSwan eap-radius -> freeradius -> ldap and has a working setup?
