On 09/04/14 17:55, Tobias Hachmer wrote:
Maybe I didn't get it but why FR could not authenticate users against MS AD via ntlm_auth?
You've misunderstood the problem. The issue is that the MSCHAPv2 bit of PEAP - the inner auth - needs NTLMv1 to be enabled. This is because you can turn MSCHAPv2 into an NTLMv1 exchange with a trivial rearrangement. FreeRADIUS *does* check MSCHAPv2 this way. NTLMv2 is however a completely different protocol. EAP clients don't speak it, so it's irrelevant whether Samba supports it. And there's no way to transform MSCHAPv2 into NTLMv2. So, you can't check MSCHAPv2 against an NTLMv2-only DC. As I noted in the thread originally linked to by the OP, there's a magic flag which Samba would need to implement which allows NTLMv1 over the netlogon RPC pipe even when it's disabled everywhere else. This is how Microsoft NPS manages it. Samba doesn't implement that, so no - you can't check MSCHAPv2 against an NTLMv2-only DC with Samba.