NTLMv1 security issue

Alan Buxey alan.buxey at gmail.com
Mon Jan 21 20:27:12 CET 2019


>From the top of my head I can't think of any common platforms that do EAP
(WPA/WPA2 enterprise or 802.1X ) and can't do EAP-TLS

alan

On Mon, 21 Jan 2019, 12:59 Roberto Ricci <robertoricci1 at msn.com wrote:

> Thank you for your help Alan.
> What I’m trying to achieve is to let people connect to the WIFI network
> with credentials stored in our AD. The new SAMBA server for “public” access
> is a good idea and seems to be the only way to achieve my goal in a
> reasonable secure and clean way. Can you confirm this last sentence? Is
> this the only way to do WIFI access with AD in a secure and clean way? Are
> there other possibilities to do this? I read about TTLS/PAP and EAP-TLS but
> I know that there are compatibility problems with some devices (e.g.
> Windows not supporting natively and iOS incompatibilities).
> Thank you for your attention.
>
> Best regards
>
> > Il giorno 18 gen 2019, alle ore 15:17, Alan DeKok <
> aland at deployingradius.com> ha scritto:
> >
> > On Jan 18, 2019, at 4:52 AM, Roberto Ricci <robertoricci1 at msn.com>
> wrote:
> >>
> >> I'm trying to set up a FreeRADIUS server for authentication against
> Active Directory. I followed the guide on deployingradius.com. In order
> to make everything work I have to set “ntlm auth = yes” in my smb.conf.
> This should enable NTLMv1 protocol that is well known to be broken. I also
> know that there is the possibility to set “ntlm auth =
> mschapv2-and-ntlmv2-only” but that’s not supported on my currently running
> SAMBA version. So these are my questions:
> >> - What are the risks that I’m taking if I leave “ntlm auth = yes” on my
> SAMBA server?
> >
> >  People can use ntlm_auth to talk to Samba.  ntlm_auth is insecure, so
> it's best to avoid it if you can.
> >
> >> - How can I avoid “ntlm auth = yes” without upgrading SAMBA?
> >
> >  Use one Samba server for "public" access.  i.e. people in your local
> network.  Use a different Samba server for FreeRADIUS.  And lock the second
> one down so that it only talks to the first Samba server && FreeRADIUS.
> >
> >> - If I decide to upgrade SAMBA and set “ntlm auth =
> mschapv2-and-ntlmv2-only” can I rest easy or I’m still being vulnerable in
> some way?
> >
> >  It's a little better, but plain MS-CHAPv2 is still somewhat insecure.
> >
> >   Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list