Windows WPA

[Phil Mayers]

Stefan Adams wrote:
> Phil, thanks for the information!
> 
> "Finally you need an AD domain (not NT4) to do that."
> 
> Are you saying I actually need a Microsoft Server?  A Samba domain
> control won't suffice?  Being that I have no (ZERO) Microsoft servers,
> are my chances of doing machine authentication nil?


Ah, that's a different kettle of fish entirely. In this specific case I 
*believe* the RPC call allowing you to MSCHAP a machine account is a 
newer RPC, so since Samba emulates NT4 you may still find that method 
doesn't work.

But, if you have a samba domain controller, you can in a supported 
fashion extract the LM and NT hashes from your SAM, and give those to 
FreeRadius directly, which can then do the MSCHAP without a callout to 
the domain at *all*, which has obvious scalability and resilience value.

How to do this depends on what SAM backend you're using, whether the 
FreeRadius server runs on the same machine as the Samba DC or a 
different one, and of course whether your site policy permits the "risk" 
of moving the LM/NT hashes around, though I personally don't buy the 
arguments about the risk involved there.

If you're using an LDAP backend, see frequent posts about using LDAP and 
ways of mapping the ntPassword LDAP attribute to the NT-Password radius 
attribute.

If you're using smbpasswd, then a "passwd" file module can be used in 
FreeRadius, with the config as described in the default radiusd.conf (I 
believe), subject to you obviously getting the file somewhere FreeRadius 
can see it, and HUPing the server if/when it changes.

Other SAMs (TDB, etc.) can probably be done similarly but that's 
samba-specific.