NTLMv2 with FreeRADIUS

Tobias Hachmer tobias at hachmer.de
Wed Apr 9 18:55:31 CEST 2014


On Wednesday 09 April 2014 11:48:00 Alan DeKok wrote:
> > But for PCI compliance, they require that we not use NTLMv1, they
> > require us to use NTLMv2. Is there any way to get FreeRADIUS to work
> > with NTLMv2 (or a more secure protocol for PCI compliance's sake)?
> 
>   The protocols used make it impossible.
> 
>   The only way to avoid NTLMv1 is to run FreeRADIUS on the Active
> Directory machine.  Unfortunately, we don't have a Windows port.

The man page of smb.conf says that there's a global option "client NTLMv2 
auth", see http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html.

So, I assume samba (smbclient) supports ntlmv2. Also the man page of ntlm_auth 
says:

---snippet---
--nt-response=RESPONSE

    NT or NTLMv2 Response to the challenge (in HEXADECIMAL)
---snippet---
https://www.samba.org/samba/docs/man/manpages/ntlm_auth.1.html

Maybe I didn't get it but why FR could not authenticate users against MS AD 
via ntlm_auth?

Regards,
Tobias Hachmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140409/7a39bb40/attachment.pgp>


More information about the Freeradius-Users mailing list