ntlm_auth: hex decode of 00 failed

Scott Pickles scottpickles at yahoo.com
Thu Jul 30 20:27:45 CEST 2015 

Figured this part out:  had the same ntlm_auth setting in both MS-CHAP AND ntlm_auth module.  So I DID have to change the configuration of the ntlm_auth module.  I now get a successful authentication, but was still failing with 'No Auth-Type':
>>Program returned code (0) and output 'NT_STATUS_OK: Success (0x0)'>>(0)  ntlm_auth : Program executed successfully>>(0)   [ntlm_auth] = ok>>(0)   [expiration] = noop>>(0)   [logintime] = noop>>(0)  WARNING: pap : No "known good" password found for the user.  Not setting Auth-Type>>(0)  WARNING: pap : Authentication will fail unless a "known good" password is available>>(0)   [pap] = noop>>(0)  } #  authorize = ok>>(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject>>(0) Failed to authenticate the user>>(0) Using Post-Auth-Type Reject
So I updated my ntlm_auth section per Alan B.
>>ldap >>    if(Ldap-Group == "VPN-Internal") {>>         ok>>     } >>else { >>        reject>>     }
 >>ntlm_auth>>     if ((ok || updated) && User-Password) {>>         update { >>            control:Auth-Type := ldap>>         } >>    }
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnd success!From the firewall:
>>Gateway# test aaa-server authentication RADIUS host 172.18.2.100 username spic$>>INFO: Attempting Authentication test to IP address <HOST_172.18.2.100> (timeout: 12 seconds)>>INFO: Authentication Successful
>>Program returned code (0) and output 'NT_STATUS_OK: Success (0x0)'>>(0)  ntlm_auth : Program executed successfully>>(0)   [ntlm_auth] = ok>>(0)    if ((ok || updated) && User-Password) >>(0)    if ((ok || updated) && User-Password)  -> TRUE>>(0)   if ((ok || updated) && User-Password)  {>>(0)    update  {>>(0)     control:Auth-Type := LDAP>>(0)    } # update  = noop>>(0)   } # if ((ok || updated) && User-Password)  = noop>>(0)   [expiration] = noop>>(0)   [logintime] = noop>>(0)  WARNING: pap : No "known good" password found for the user.  Not setting Auth-Type>>(0)  WARNING: pap : Authentication will fail unless a "known good" password is available>>(0)   [pap] = noop>>(0)  } #  authorize = ok>>(0) Found Auth-Type = LDAP>>(0) # Executing group from file /etc/raddb/sites-enabled/default>>(0)  Auth-Type LDAP {>>(0)  ldap : Login attempt by "spickles">>rlm_ldap (ldap): Reserved connection (4)>>(0)  ldap : Using user DN from request "CN=Scott Pickles,CN=Users,DC=myDomain,DC=com">>(0)  ldap : Waiting for bind result...>>(0)  ldap : Bind successful>>(0)  ldap : Bind as user "CN=Scott Pickles,CN=Users,DC=myDomain,DC=com" was successful>>rlm_ldap (ldap): Released connection (4)>>(0)   [ldap] = ok>>(0)  } # Auth-Type LDAP = ok>>(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default>>(0)   post-auth {>>(0)   [exec] = noop>>(0)   remove_reply_message_if_eap remove_reply_message_if_eap {>>(0)     if (&reply:EAP-Message && &reply:Reply-Message) >>(0)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE>>(0)    else else {>>(0)     [noop] = noop>>(0)    } # else else = noop>>(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop>>(0)  } #  post-auth = noop>>(0) Sending Access-Accept packet to host 172.18.1.2 port 1025, id=81, length=0
Thanks so much to all of those that supported me over the last two weeks getting this going.  I still have a LONG way to go with this, but I really appreciate the help!  I'd like to specifically acknowledge Alan B. and Alan D.!!!

 


     On Thursday, July 30, 2015 12:55 PM, Scott Pickles via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
   

 >>Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-FESYSTEMSCOM} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:>>(0)  ntlm_auth : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}>>(0)  ntlm_auth :    --> --username=spickles>>(0)  ERROR: ntlm_auth : No NT-Domain was found in the User-Name>>(0)  ntlm_auth : EXPAND --domain=%{%{mschap:NT-Domain}:-FESYSTEMSCOM}>>(0)  ntlm_auth :    --> --domain=FESYSTEMSCOM>>(0)  ERROR: ntlm_auth : No MS-CHAP-Challenge in the request>>(0)  ntlm_auth : EXPAND --challenge=%{%{mschap:Challenge}:-00}>>(0)  ntlm_auth :    --> --challenge=00>>(0)  ERROR: ntlm_auth : No MS-CHAP-Response or MS-CHAP2-Response was found in the request>>(0)  ntlm_auth : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}>>(0)  ntlm_auth :    --> --nt-response=00>>hex decode of 00 failed! (only got 1 bytes)
I ultimately want to use FreeRADIUS to authenticate user logins to my Cisco infrastructure, VPN connections to my ASA, and MS-PEAP for WiFi.  Currently I'm just trying to run a test connection from my ASA firewall using the RADIUS test built in:
>>test aaa-server authorization RADIUS host 172.18.2.100 username spickles

I'm failing at the ntlm_auth portion above, and if I'm understanding it correctly it's because the test from the ASA is likely sending something like a pap request as opposed to an mschap?
>>ERROR: ntlm_auth : No MS-CHAP-Challenge in the request

This is expected and the default is then '00' based on the setting 'ntlm_auth : EXPAND --challenge=%{%{mschap:Challenge}:-00}'.  So I guess at this point I'm looking for some guidance on how I can make all of this work because the RADIUS test isn't going to send an MS-CHAP challenge.  Do I need to modify the ntlm_auth configuration to include a 'password' option?  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list