What are the advantage and disadvantage about ntlm_auth and LDAP?

Phil Mayers p.mayers at imperial.ac.uk
Mon Dec 5 23:35:29 CET 2005 

darkblue wrote:
> There two type of method to integrate freeradius with AD, ntlm_auth
> and ldap, with help by experts such as Alan DeKok and Nicolas
> Baradakis , I had been setup the 802.1x+freeradius+ntlm_auth+AD. and I
> wonder what are the advantage and disadvantage about ldap and
> ntlm_auth.LDAP sounds better than ntlm_auth, is that right?

They're totally different. You are unlikely to find LDAP against AD 
useful for 802.1x authentication.

LDAP-the-protocol can do two things:

  1. What it's supposed to - return *information*. This can include, 
subject to access control, user info, such as the plaintext password 
*or* various pre-crypted ones such as the NT or LM hashes, the digest 
HA1, etc. This information is then available to FreeRadius to use, and 
FreeRadius can then do all the authentication (using the plaintext or 
appropriate crypts) and authorisation (using e.g. group info) itself

  2. What it's not really supposed to but is used for A LOT; It can act 
as an authentication server for PAP. You connect, optionally bind as a 
search user, search to find the user, then (re)bind using the username 
and plaintext password from the PAP request, getting an OK or failed. In 
this scenario, you're effectively proxying Radius+PAP to LDAP+SimpleBind

Now, ActiveDirectory cannot be made to return any password hash 
information over LDAP. It cannot, as far as anyone knows, be done.

Therefore, if you're talking to AD over LDAP, you CANNOT extract the NT 
or LM hashes (or for that matter, the Kerberos DES/3DES/AES keys, or 
even the plaintext password if you're using reversible encryption). 
Therefore, LDAP to AD can ONLY authenticate PAP requests.

MS-CHAP requests can be authenticated via the "ntlm_auth" helper method. 
The ONLY other way of doing MS-CHAP is to have the NT or LM hash in a 
form you can get into the radius server. This is by design nearly 
impossible to do with AD.

(This excludes such obvious methods as using a password change plugin to 
capture passwords and make a copy of the NT/LM hashes or even plaintext, 
and various similar things, but they're orthogonal to the discussion)

This is such an FAQ I wonder if it should be added to the default config 
file above the LDAP module.

More information about the Freeradius-Users mailing list