On Wed, Apr 09, 2014 at 09:33:02AM -0400, John McCarthy wrote:
But for PCI compliance, they require that we not use NTLMv1, they require us to use NTLMv2. Is there any way to get FreeRADIUS to work with NTLMv2
Not possible. But the MS-CHAP/NTLMv1 is inside a PEAP tunnel, so TLS encrypted over the air/wire anyway.
(or a more secure protocol for PCI compliance's sake)?
Depending on the client supplicant maybe EAP-TLS, but that's per-machine auth, not per-user, so may not match your requirements.
I have found the post below that basically says it isn't possible. Maybe you can use a flag to tell the Active Directory Domain Controller that the traffic is NTLMv2...but that sounded pretty sketchy to me. Does anyone else have any ideas?
Tell them to research what's actually viable before placing impossible demands. But then this is PCI, so you're probably stuffed before you even start. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>