On 11/11/2011 01:29 AM, Gary Gatten wrote:
I agree with Jake, in that I *think* it would be possible to have a plugin or whatever interface with LDAP/AD in the same manner ntlm_auth does. I don't think one *needs* a cleartext password, but
To quote from the other email I just sent: """ People wanting to do MSCHAP must have either: 1. The NT or LM hashes 2. The cleartext password, to generate the NT/LM hashes 3. Access to a system which will perform the MSCHAP crypto for them (i.e. a domain controller, access via samba/ntlm_auth) """ If you're talking about writing something that interfaces with Active Directory "in the same way" as ntlm_auth, you're essentially talking about writing a (presumably easier to setup/run than samba/ntlm_auth) program to do #3. However: I will note there's no evidence that the OP was using AD. He could have just been using a plain LDAP server.
does need some way to compare apples-to-apples. That said, I don't know the inner workings of all the auth protocols involved here so I could be way off. Something tells me if it were easy/possible, Mr. DeKok would have likely written the plugin by now.
As it happens, I do know the protocols and internal windows APIs, and did look into this a while back. It is *possible* but very tricky, and it's unclear to me it would be "easier" than samba/ntlm_auth. A few points: 1. You CANNOT access the required APIs remotely; you MUST be running as a local process on a windows domain controller. Thankfully there are other APIs which a domain member can call as an RPC which proxy to these APIs, but you need a domain machine account to call them (this is what Samba/ntlm_auth does) 2. The required APIs are very, very scantily documented 3. The required APIs ONLY permit you to perform the MSCHAP calculations; they don't give you access to any password hashes. So, basically you would end up with: 1. A C program, which you have to compile for windows, which calls the internal LSA APIs to perform an MSCHAP challenge/response 2. Which you then have to run on a windows server, which calls the RPC on your domain controllers (this is EXACTLY what Samba/ntlm_auth does) 3. Some kind of authentication to secure the FreeRADIUS -> program network comms I got about halfway through step 1 - the API calls were executing, but the call failed despite being passed a valid challenge/response. I assume there are some (more) undocumented API subtleties. Given the difficulties and awkwardness of the solution, I gave up and concluded people should just run Samba, or if they really can't tolerate that, run a dumb copy of IAS/NPS and proxy the MSCHAP/EAP-MSCHAP to that. Cheers, Phil