One way that I have solved this (mind you, it's a still developing project) is to use the proxy capabilities of Freeradius to authenticate to AD by enabling radius on the AD. You do lose some of the caching capabilities as defined within the eap.conf file. It does appear that by proxying to the AD servers, the AD server is where the encrypted tunnel for the user/pass are terminated (please please please, correct me if I am wrong). We have the same end/server auth cert on the AD servers that are authenticating radius as the servers that are using ntlm_auth and are the terminating point for that authentication and they seem to process the authentications without client confusion. Seems to work well for me. We only proxy the authN and then do the rest of the processing on the freeradius server (since there is some custom voodoo to support our scheme of wireless VLAN assignment at Georgia Tech). I also find that the proxy failover (and be SURE to read the config files for proxy about different methods of failover and round robin) are better than the round-robin/failover possibilities within the Samba configuration (smb.conf). - John Douglass Sr. Systems Architect Georgia Institute of Technology On 04/09/2014 11:48 AM, Alan DeKok wrote:
John McCarthy wrote:
Thanks for your guys work on the FreeRADIUS project. It works really well and was easy to setup and understand. I'm glad you agree. Not everyone has that opinion. :)
But for PCI compliance, they require that we not use NTLMv1, they require us to use NTLMv2. Is there any way to get FreeRADIUS to work with NTLMv2 (or a more secure protocol for PCI compliance's sake)? The protocols used make it impossible.
The only way to avoid NTLMv1 is to run FreeRADIUS on the Active Directory machine. Unfortunately, we don't have a Windows port.
I have found the post below that basically says it isn't possible. Maybe you can use a flag to tell the Active Directory Domain Controller that the traffic is NTLMv2...but that sounded pretty sketchy to me. Does anyone else have any ideas? Tell the PCI compliance people that their requirements are impossible in practice, due to Microsoft's implementation of Active Directory.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html