[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: ntlm_auth: hex decode of 00 failed
From:       A.L.M.Buxey () lboro ! ac ! uk
Date:       2015-07-30 20:03:34
Message-ID: 20150730200334.GA9069 () lboro ! ac ! uk
[Download RAW message or body]

Hi,

> I ultimately want to use FreeRADIUS to authenticate user logins to my Cisco \
> infrastructure, VPN connections to my ASA, and MS-PEAP for WiFi.  Currently I'm \
> just trying to run a test connection from my ASA firewall using the RADIUS test \
> built in:
> > > test aaa-server authorization RADIUS host 172.18.2.100 username spickles

yes. thats just a PAP test....so its not going to work.

you need to validate the system first by using eg rad_eap_test, eapol_test or \
somesuch locally...from localhost. (eapol_test can use nice config files as per found \
in the src/tests directory of freeradius 

once you pass that testing phase, THEN send requests from other boxes.  you can \
verify local policies by eg changing localhost to point to another virtual_server in \
clients.conf

> This is expected and the default is then '00' based on the setting 'ntlm_auth : \
> EXPAND --challenge=%{%{mschap:Challenge}:-00}'.  So I guess at this point I'm \
> looking for some guidance on how I can make all of this work because the RADIUS \
> test isn't going to send an MS-CHAP challenge.  Do I need to modify the ntlm_auth \
> configuration to include a 'password' option?  

its a PAP request...for such requests you'll have to have a different configuration - \
call another module with a dumber ntlm_auth line....or configure kerberos on the box \
and use the krb5 routines.


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]