On Wednesday 09 April 2014 18:46:19 Phil Mayers wrote:
On 09/04/14 17:55, Tobias Hachmer wrote:
Maybe I didn't get it but why FR could not authenticate users against MS AD via ntlm_auth?
You've misunderstood the problem.
The issue is that the MSCHAPv2 bit of PEAP - the inner auth - needs NTLMv1 to be enabled. This is because you can turn MSCHAPv2 into an NTLMv1 exchange with a trivial rearrangement.
FreeRADIUS *does* check MSCHAPv2 this way.
NTLMv2 is however a completely different protocol. EAP clients don't speak it, so it's irrelevant whether Samba supports it. And there's no way to transform MSCHAPv2 into NTLMv2. So, you can't check MSCHAPv2 against an NTLMv2-only DC.
Ok, it isn't working with mschapv2. But ntlmv2 would work using PAP authentication, just call ntlm_auth with username and password, etc. ? Regards, Tobias Hachmer