21 Jan
2019
21 Jan
'19
4:26 p.m.
Thank you Alan. http://freeradius.1045715.n5.nabble.com/NTLMv2-with-FreeRADIUS-td5726394i20.html On this page, on the third post, Matthew Newton says: "With EAP-TLS you might also have problems getting iPads and similar mobile devices on entirely and many just won't do EAP-TLS, so you're probably laptops only in the majority of cases.”. I googled this and found confirms. That’s why I said that EAP-TLS could have some compatibility issues. Is that wrong? Have a nice day. > Il giorno 21 gen 2019, alle ore 20:27, Alan Buxey <alan.buxey@gmail.com> ha scritto: > > From the top of my head I can't think of any common platforms that do EAP > (WPA/WPA2 enterprise or 802.1X ) and can't do EAP-TLS > > alan > > On Mon, 21 Jan 2019, 12:59 Roberto Ricci <robertoricci1@msn.com wrote: > >> Thank you for your help Alan. >> What I’m trying to achieve is to let people connect to the WIFI network >> with credentials stored in our AD. The new SAMBA server for “public” access >> is a good idea and seems to be the only way to achieve my goal in a >> reasonable secure and clean way. Can you confirm this last sentence? Is >> this the only way to do WIFI access with AD in a secure and clean way? Are >> there other possibilities to do this? I read about TTLS/PAP and EAP-TLS but >> I know that there are compatibility problems with some devices (e.g. >> Windows not supporting natively and iOS incompatibilities). >> Thank you for your attention. >> >> Best regards >> >>> Il giorno 18 gen 2019, alle ore 15:17, Alan DeKok < >> aland@deployingradius.com> ha scritto: >>> >>> On Jan 18, 2019, at 4:52 AM, Roberto Ricci <robertoricci1@msn.com> >> wrote: >>>> >>>> I'm trying to set up a FreeRADIUS server for authentication against >> Active Directory. I followed the guide on deployingradius.com. In order >> to make everything work I have to set “ntlm auth = yes” in my smb.conf. >> This should enable NTLMv1 protocol that is well known to be broken. I also >> know that there is the possibility to set “ntlm auth = >> mschapv2-and-ntlmv2-only” but that’s not supported on my currently running >> SAMBA version. So these are my questions: >>>> - What are the risks that I’m taking if I leave “ntlm auth = yes” on my >> SAMBA server? >>> >>> People can use ntlm_auth to talk to Samba. ntlm_auth is insecure, so >> it's best to avoid it if you can. >>> >>>> - How can I avoid “ntlm auth = yes” without upgrading SAMBA? >>> >>> Use one Samba server for "public" access. i.e. people in your local >> network. Use a different Samba server for FreeRADIUS. And lock the second >> one down so that it only talks to the first Samba server && FreeRADIUS. >>> >>>> - If I decide to upgrade SAMBA and set “ntlm auth = >> mschapv2-and-ntlmv2-only” can I rest easy or I’m still being vulnerable in >> some way? >>> >>> It's a little better, but plain MS-CHAPv2 is still somewhat insecure. >>> >>> Alan DeKok. >>> >>> >>> - >>> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html