On 27/05/11 16:59, Gary Gatten wrote:
Can one not "override" the ... not sure what it would be called... Example; if I tell FR to use NTLM_AUTH to authenticate a request against AD, and AD returns a "reject", can I not override the reject with and accept using "update control" or some similar function?
It depends. If you're using ntlm_auth to do MSCHAP, then no. The MS-CHAPv2 reply adds a final response, that proves to the *client* that the *server* is valid. The authentication flow is as follows: nas -> client: challenge client -> nas: response nas -> radius: challenge, response radius -> nas: final response nas -> client: final response ...the client checks that the final response is valid against the challenge and response, as well as it's own password, using crypto. The protocol is *designed* to stop this kind of interference. Now, a buggy client might ignore the final response, but that is a big security hole - it means you can man-in-the-middle the MSCHAP - and as far as I'm aware, all MSCHAP clients (including EAP-PEAP with EAP-MSCHAP inner, and EAP-TTLS with EAP-MSCHAP inner) check this. You can of course just "accept" PAP requests, so if you're doing EAP-TTLS with PAP inner, you can force accept - but you must do it at the *inner* auth. The outer TTLS still needs to be allowed to flow to completion unhindered.