On Nov 15, 2021, at 8:46 AM, Boyd, Christopher <cboyd@utsystem.edu> wrote:
We're looking at this as well, but NTLM auth has been turned off in our environment.
Then MS-CHAP / PEAP-MSCHAP is impossible. This kind of thing often comes from an absolutist view of security. "We can't do X, because it's insecure!". Ok then, that means many other things are now impossible to do. Things which you want to have. You've got to have an informed trade-off for security. Figure out what you want (everything you want), and then pick the most secure option. In this case, you could probably set up a Samba replica for AD, turn on ntlm_auth there, and then allow only the FreeRADIUS machine to access it. That gets you 100% of the functionality, with 99.9% of the security.
There's this page that describes how to do auth with Kerberos, which may work, but I have not had a chance to test it yet. https://www.anyroam.net/node/90
I really hate third-party sites which give bad advice. Don't use Kerberos. It's not necessary. From the article: "you need to properly setup TTLS with PAP authentication since Kerberos authentication will only work with this pairing of EAP methods" Uh... why not just use LDAP then? FreeRADIUS can do LDAP "bind as user" to AD. It will work. Alan DeKok.