NTLMv2 with FreeRADIUS

Phil Mayers p.mayers at imperial.ac.uk
Wed Apr 9 21:44:47 CEST 2014


On 09/04/2014 20:04, John McCarthy wrote:
> On 09/04/14 13:38, Phil Mayers  wrote:
>>1. Use MSCHAP which needs NTLMv1
>
> http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
>
> in the picture here, is the NTLM traffic from the FreeRADIUS server to
> the Active Directory server encrypted? if not, can it be?

That's up to Samba. The flow is:

1. FreeRADIUS calls ntlm_auth with the MSCHAP challenge/response
2. ntlm_auth passes it to winbind over a pipe
3. winbind calls an RPC on the domain controller over an SMB/RPC pipe
4. response comes back in the reverse

Every time I've looked, that SMB/RPC connection has been encrypted. I 
believe it always will be, with modern Samba & AD. I am *reasonably* 
sure that the SMB/RPC pipe will use NTLMv2 or Kerberos with the Samba 
machine credentials, so should be secure.

You can verify this trivially with wireshark.

>> 2. Use TTLS/PAP, and check passwords via Kerberos/LDAP bind.
>
> Is this way recommended? the part about using PAP scares me. (Clear-text

It's not a common configuration, no. Most people use PEAP/MSCHAPv2 via 
Samba/ntlm_auth, and do not force ntlmv2. The main reason is that, prior 
to Windows 8, Windows clients needed extra software for TTLS/PAP.

As for PAP scaring you, I think you've misunderstood. The client 
establishes an encrypted tunnel with EAP-TTLS, then sends the 
username/password down the tunnel. FreeRADIUS verifies it somehow. There 
are no "files" involved.


More information about the Freeradius-Users mailing list