NTLMv2 with FreeRADIUS

Alan DeKok aland at deployingradius.com
Wed Apr 9 17:48:00 CEST 2014


John McCarthy wrote:
> Thanks for your guys work on the FreeRADIUS project. It works really
> well and was easy to setup and understand.

  I'm glad you agree.  Not everyone has that opinion. :)

> But for PCI compliance, they require that we not use NTLMv1, they
> require us to use NTLMv2. Is there any way to get FreeRADIUS to work
> with NTLMv2 (or a more secure protocol for PCI compliance's sake)?

  The protocols used make it impossible.

  The only way to avoid NTLMv1 is to run FreeRADIUS on the Active
Directory machine.  Unfortunately, we don't have a Windows port.

> I have found the post below that basically says it isn't possible. Maybe
> you can use a flag to tell the Active Directory Domain Controller that
> the traffic is NTLMv2...but that sounded pretty sketchy to me. Does
> anyone else have any ideas? 

  Tell the PCI compliance people that their requirements are impossible
in practice, due to Microsoft's implementation of Active Directory.

  Alan DeKok.


More information about the Freeradius-Users mailing list