On Wednesday 09 April 2014 11:48:00 Alan DeKok wrote:
But for PCI compliance, they require that we not use NTLMv1, they require us to use NTLMv2. Is there any way to get FreeRADIUS to work with NTLMv2 (or a more secure protocol for PCI compliance's sake)?
The protocols used make it impossible.
The only way to avoid NTLMv1 is to run FreeRADIUS on the Active Directory machine. Unfortunately, we don't have a Windows port.
The man page of smb.conf says that there's a global option "client NTLMv2 auth", see http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html. So, I assume samba (smbclient) supports ntlmv2. Also the man page of ntlm_auth says: ---snippet--- --nt-response=RESPONSE NT or NTLMv2 Response to the challenge (in HEXADECIMAL) ---snippet--- https://www.samba.org/samba/docs/man/manpages/ntlm_auth.1.html Maybe I didn't get it but why FR could not authenticate users against MS AD via ntlm_auth? Regards, Tobias Hachmer