ntlm_auth: hex decode of 00 failed

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Thu Jul 30 22:03:34 CEST 2015


Hi,

> I ultimately want to use FreeRADIUS to authenticate user logins to my Cisco infrastructure, VPN connections to my ASA, and MS-PEAP for WiFi.  Currently I'm just trying to run a test connection from my ASA firewall using the RADIUS test built in:
> >>test aaa-server authorization RADIUS host 172.18.2.100 username spickles

yes. thats just a PAP test....so its not going to work.

you need to validate the system first by using eg rad_eap_test, eapol_test or somesuch locally...from localhost.
(eapol_test can use nice config files as per found in the src/tests directory of freeradius 

once you pass that testing phase, THEN send requests from other boxes.  you can verify local policies by eg
changing localhost to point to another virtual_server in clients.conf

> This is expected and the default is then '00' based on the setting 'ntlm_auth : EXPAND --challenge=%{%{mschap:Challenge}:-00}'.  So I guess at this point I'm looking for some guidance on how I can make all of this work because the RADIUS test isn't going to send an MS-CHAP challenge.  Do I need to modify the ntlm_auth configuration to include a 'password' option?  

its a PAP request...for such requests you'll have to have a different configuration - call another module
with a dumber ntlm_auth line....or configure kerberos on the box and use the krb5 routines.


alan


More information about the Freeradius-Users mailing list