p.mayers at imperial.ac.uk
Fri Nov 11 09:09:44 CET 2011
On 11/11/2011 01:29 AM, Gary Gatten wrote:
> I agree with Jake, in that I *think* it would be possible to have a
> plugin or whatever interface with LDAP/AD in the same manner
> ntlm_auth does. I don't think one *needs* a cleartext password, but
To quote from the other email I just sent:
People wanting to do MSCHAP must have either:
1. The NT or LM hashes
2. The cleartext password, to generate the NT/LM hashes
3. Access to a system which will perform the MSCHAP crypto for them
(i.e. a domain controller, access via samba/ntlm_auth)
If you're talking about writing something that interfaces with Active
Directory "in the same way" as ntlm_auth, you're essentially talking
about writing a (presumably easier to setup/run than samba/ntlm_auth)
program to do #3.
However: I will note there's no evidence that the OP was using AD. He
could have just been using a plain LDAP server.
> does need some way to compare apples-to-apples. That said, I don't
> know the inner workings of all the auth protocols involved here so I
> could be way off. Something tells me if it were easy/possible, Mr.
> DeKok would have likely written the plugin by now.
As it happens, I do know the protocols and internal windows APIs, and
did look into this a while back. It is *possible* but very tricky, and
it's unclear to me it would be "easier" than samba/ntlm_auth. A few points:
1. You CANNOT access the required APIs remotely; you MUST be running
as a local process on a windows domain controller. Thankfully there are
other APIs which a domain member can call as an RPC which proxy to these
APIs, but you need a domain machine account to call them (this is what
2. The required APIs are very, very scantily documented
3. The required APIs ONLY permit you to perform the MSCHAP
calculations; they don't give you access to any password hashes.
So, basically you would end up with:
1. A C program, which you have to compile for windows, which calls the
internal LSA APIs to perform an MSCHAP challenge/response
2. Which you then have to run on a windows server, which calls the RPC
on your domain controllers (this is EXACTLY what Samba/ntlm_auth does)
3. Some kind of authentication to secure the FreeRADIUS -> program
I got about halfway through step 1 - the API calls were executing, but
the call failed despite being passed a valid challenge/response. I
assume there are some (more) undocumented API subtleties.
Given the difficulties and awkwardness of the solution, I gave up and
concluded people should just run Samba, or if they really can't tolerate
that, run a dumb copy of IAS/NPS and proxy the MSCHAP/EAP-MSCHAP to that.
More information about the Freeradius-Users