NTLMv1 security issue
Good morning, I'm trying to set up a FreeRADIUS server for authentication against Active Directory. I followed the guide on deployingradius.com. In order to make everything work I have to set “ntlm auth = yes” in my smb.conf. This should enable NTLMv1 protocol that is well known to be broken. I also know that there is the possibility to set “ntlm auth = mschapv2-and-ntlmv2-only” but that’s not supported on my currently running SAMBA version. So these are my questions: - What are the risks that I’m taking if I leave “ntlm auth = yes” on my SAMBA server? - How can I avoid “ntlm auth = yes” without upgrading SAMBA? - If I decide to upgrade SAMBA and set “ntlm auth = mschapv2-and-ntlmv2-only” can I rest easy or I’m still being vulnerable in some way? Thank you for your attention, have a great day. Best regards
On Jan 18, 2019, at 4:52 AM, Roberto Ricci <robertoricci1@msn.com> wrote:
I'm trying to set up a FreeRADIUS server for authentication against Active Directory. I followed the guide on deployingradius.com. In order to make everything work I have to set “ntlm auth = yes” in my smb.conf. This should enable NTLMv1 protocol that is well known to be broken. I also know that there is the possibility to set “ntlm auth = mschapv2-and-ntlmv2-only” but that’s not supported on my currently running SAMBA version. So these are my questions: - What are the risks that I’m taking if I leave “ntlm auth = yes” on my SAMBA server?
People can use ntlm_auth to talk to Samba. ntlm_auth is insecure, so it's best to avoid it if you can.
- How can I avoid “ntlm auth = yes” without upgrading SAMBA?
Use one Samba server for "public" access. i.e. people in your local network. Use a different Samba server for FreeRADIUS. And lock the second one down so that it only talks to the first Samba server && FreeRADIUS.
- If I decide to upgrade SAMBA and set “ntlm auth = mschapv2-and-ntlmv2-only” can I rest easy or I’m still being vulnerable in some way?
It's a little better, but plain MS-CHAPv2 is still somewhat insecure. Alan DeKok.
Thank you for your help Alan. What I’m trying to achieve is to let people connect to the WIFI network with credentials stored in our AD. The new SAMBA server for “public” access is a good idea and seems to be the only way to achieve my goal in a reasonable secure and clean way. Can you confirm this last sentence? Is this the only way to do WIFI access with AD in a secure and clean way? Are there other possibilities to do this? I read about TTLS/PAP and EAP-TLS but I know that there are compatibility problems with some devices (e.g. Windows not supporting natively and iOS incompatibilities). Thank you for your attention. Best regards
Il giorno 18 gen 2019, alle ore 15:17, Alan DeKok <aland@deployingradius.com> ha scritto:
On Jan 18, 2019, at 4:52 AM, Roberto Ricci <robertoricci1@msn.com> wrote:
I'm trying to set up a FreeRADIUS server for authentication against Active Directory. I followed the guide on deployingradius.com. In order to make everything work I have to set “ntlm auth = yes” in my smb.conf. This should enable NTLMv1 protocol that is well known to be broken. I also know that there is the possibility to set “ntlm auth = mschapv2-and-ntlmv2-only” but that’s not supported on my currently running SAMBA version. So these are my questions: - What are the risks that I’m taking if I leave “ntlm auth = yes” on my SAMBA server?
People can use ntlm_auth to talk to Samba. ntlm_auth is insecure, so it's best to avoid it if you can.
- How can I avoid “ntlm auth = yes” without upgrading SAMBA?
Use one Samba server for "public" access. i.e. people in your local network. Use a different Samba server for FreeRADIUS. And lock the second one down so that it only talks to the first Samba server && FreeRADIUS.
- If I decide to upgrade SAMBA and set “ntlm auth = mschapv2-and-ntlmv2-only” can I rest easy or I’m still being vulnerable in some way?
It's a little better, but plain MS-CHAPv2 is still somewhat insecure.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 21, 2019, at 7:59 AM, Roberto Ricci <robertoricci1@msn.com> wrote:
What I’m trying to achieve is to let people connect to the WIFI network with credentials stored in our AD. The new SAMBA server for “public” access is a good idea and seems to be the only way to achieve my goal in a reasonable secure and clean way. Can you confirm this last sentence?
That's what I said. I'm not sure why reconfirming it helps.
Is this the only way to do WIFI access with AD in a secure and clean way? Are there other possibilities to do this?
<sigh> We recommend the best way, or sometimes the ONLY way of doing things. If you don't like the answers you get on this list, use Google. Asking the same question repeatedly comes across like you think we're either lying, or you that don't trust us. It's unfriendly. Alan DeKok.
Il giorno 21 gen 2019, alle ore 14:25, Alan DeKok <aland@deployingradius.com> ha scritto:
On Jan 21, 2019, at 7:59 AM, Roberto Ricci <robertoricci1@msn.com> wrote:
What I’m trying to achieve is to let people connect to the WIFI network with credentials stored in our AD. The new SAMBA server for “public” access is a good idea and seems to be the only way to achieve my goal in a reasonable secure and clean way. Can you confirm this last sentence?
That's what I said. I'm not sure why reconfirming it helps.
Is this the only way to do WIFI access with AD in a secure and clean way? Are there other possibilities to do this?
<sigh> We recommend the best way, or sometimes the ONLY way of doing things. If you don't like the answers you get on this list, use Google.
Asking the same question repeatedly comes across like you think we're either lying, or you that don't trust us. It's unfriendly.
Alan DeKok.
I don’t want to be unfriendly and I trust you. I appreciate your help. In my first message I explained that “I’m trying to set up a FreeRADIUS server for authentication against Active Directory”. In my last message I wanted to explain in a better way what I’m trying to do so I said “What I’m trying to achieve is to let people connect to the WIFI network with credentials stored in our AD”. It’s not the same question. So, I explained my real problem and I want to be sure that I’m doing it the right way.
On Jan 21, 2019, at 9:57 AM, Roberto Ricci <robertoricci1@msn.com> wrote:
I don’t want to be unfriendly and I trust you. I appreciate your help. In my first message I explained that “I’m trying to set up a FreeRADIUS server for authentication against Active Directory”. In my last message I wanted to explain in a better way what I’m trying to do so I said “What I’m trying to achieve is to let people connect to the WIFI network with credentials stored in our AD”. It’s not the same question.
Well, it is the same question. Because as soon as you say "Active Directory", there's really only one way to use it. And this should be a hint that asking the *right* question at the start is the preferred approach. Alan DeKok.
Il giorno 21 gen 2019, alle ore 16:22, Alan DeKok <aland@deployingradius.com> ha scritto:
On Jan 21, 2019, at 9:57 AM, Roberto Ricci <robertoricci1@msn.com> wrote:
I don’t want to be unfriendly and I trust you. I appreciate your help. In my first message I explained that “I’m trying to set up a FreeRADIUS server for authentication against Active Directory”. In my last message I wanted to explain in a better way what I’m trying to do so I said “What I’m trying to achieve is to let people connect to the WIFI network with credentials stored in our AD”. It’s not the same question.
Well, it is the same question. Because as soon as you say "Active Directory", there's really only one way to use it.
And this should be a hint that asking the *right* question at the start is the preferred approach.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So the answer to my second question is “As soon as you say “Active Directory”, there’s really only one way to use it.”. That’s what I wanted from the second question. It was so simple. The two questions were not the same, now I have a new information. Thank you for your help, I appreciate it. Have a nice day.
From the top of my head I can't think of any common platforms that do EAP (WPA/WPA2 enterprise or 802.1X ) and can't do EAP-TLS
alan On Mon, 21 Jan 2019, 12:59 Roberto Ricci <robertoricci1@msn.com wrote:
Thank you for your help Alan. What I’m trying to achieve is to let people connect to the WIFI network with credentials stored in our AD. The new SAMBA server for “public” access is a good idea and seems to be the only way to achieve my goal in a reasonable secure and clean way. Can you confirm this last sentence? Is this the only way to do WIFI access with AD in a secure and clean way? Are there other possibilities to do this? I read about TTLS/PAP and EAP-TLS but I know that there are compatibility problems with some devices (e.g. Windows not supporting natively and iOS incompatibilities). Thank you for your attention.
Best regards
Il giorno 18 gen 2019, alle ore 15:17, Alan DeKok < aland@deployingradius.com> ha scritto:
On Jan 18, 2019, at 4:52 AM, Roberto Ricci <robertoricci1@msn.com> wrote:
I'm trying to set up a FreeRADIUS server for authentication against
Active Directory. I followed the guide on deployingradius.com. In order to make everything work I have to set “ntlm auth = yes” in my smb.conf. This should enable NTLMv1 protocol that is well known to be broken. I also know that there is the possibility to set “ntlm auth = mschapv2-and-ntlmv2-only” but that’s not supported on my currently running SAMBA version. So these are my questions:
- What are the risks that I’m taking if I leave “ntlm auth = yes” on my SAMBA server?
People can use ntlm_auth to talk to Samba. ntlm_auth is insecure, so it's best to avoid it if you can.
- How can I avoid “ntlm auth = yes” without upgrading SAMBA?
Use one Samba server for "public" access. i.e. people in your local network. Use a different Samba server for FreeRADIUS. And lock the second one down so that it only talks to the first Samba server && FreeRADIUS.
- If I decide to upgrade SAMBA and set “ntlm auth = mschapv2-and-ntlmv2-only” can I rest easy or I’m still being vulnerable in some way?
It's a little better, but plain MS-CHAPv2 is still somewhat insecure.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you Alan. http://freeradius.1045715.n5.nabble.com/NTLMv2-with-FreeRADIUS-td5726394i20.html On this page, on the third post, Matthew Newton says: "With EAP-TLS you might also have problems getting iPads and similar mobile devices on entirely and many just won't do EAP-TLS, so you're probably laptops only in the majority of cases.”. I googled this and found confirms. That’s why I said that EAP-TLS could have some compatibility issues. Is that wrong? Have a nice day. > Il giorno 21 gen 2019, alle ore 20:27, Alan Buxey <alan.buxey@gmail.com> ha scritto: > > From the top of my head I can't think of any common platforms that do EAP > (WPA/WPA2 enterprise or 802.1X ) and can't do EAP-TLS > > alan > > On Mon, 21 Jan 2019, 12:59 Roberto Ricci <robertoricci1@msn.com wrote: > >> Thank you for your help Alan. >> What I’m trying to achieve is to let people connect to the WIFI network >> with credentials stored in our AD. The new SAMBA server for “public” access >> is a good idea and seems to be the only way to achieve my goal in a >> reasonable secure and clean way. Can you confirm this last sentence? Is >> this the only way to do WIFI access with AD in a secure and clean way? Are >> there other possibilities to do this? I read about TTLS/PAP and EAP-TLS but >> I know that there are compatibility problems with some devices (e.g. >> Windows not supporting natively and iOS incompatibilities). >> Thank you for your attention. >> >> Best regards >> >>> Il giorno 18 gen 2019, alle ore 15:17, Alan DeKok < >> aland@deployingradius.com> ha scritto: >>> >>> On Jan 18, 2019, at 4:52 AM, Roberto Ricci <robertoricci1@msn.com> >> wrote: >>>> >>>> I'm trying to set up a FreeRADIUS server for authentication against >> Active Directory. I followed the guide on deployingradius.com. In order >> to make everything work I have to set “ntlm auth = yes” in my smb.conf. >> This should enable NTLMv1 protocol that is well known to be broken. I also >> know that there is the possibility to set “ntlm auth = >> mschapv2-and-ntlmv2-only” but that’s not supported on my currently running >> SAMBA version. So these are my questions: >>>> - What are the risks that I’m taking if I leave “ntlm auth = yes” on my >> SAMBA server? >>> >>> People can use ntlm_auth to talk to Samba. ntlm_auth is insecure, so >> it's best to avoid it if you can. >>> >>>> - How can I avoid “ntlm auth = yes” without upgrading SAMBA? >>> >>> Use one Samba server for "public" access. i.e. people in your local >> network. Use a different Samba server for FreeRADIUS. And lock the second >> one down so that it only talks to the first Samba server && FreeRADIUS. >>> >>>> - If I decide to upgrade SAMBA and set “ntlm auth = >> mschapv2-and-ntlmv2-only” can I rest easy or I’m still being vulnerable in >> some way? >>> >>> It's a little better, but plain MS-CHAPv2 is still somewhat insecure. >>> >>> Alan DeKok. >>> >>> >>> - >>> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 21 January 2019 21:26:43 GMT, Roberto Ricci <robertoricci1@msn.com> wrote:
http://freeradius.1045715.n5.nabble.com/NTLMv2-with-FreeRADIUS-td5726394i20.... On this page, on the third post, Matthew Newton says: "With EAP-TLS you might also have problems getting iPads and similar mobile devices on entirely and many just won't do EAP-TLS, so you're probably laptops only in the majority of cases.”. I googled this and found confirms.
a) A lot changes in four years; and b) read the whole paragraph.
That’s why I said that EAP-TLS could have some compatibility issues. Is that wrong?
Yes. -- Matthew
On Mon, 2019-01-21 at 22:41 +0000, Roberto Ricci wrote:
b) read the whole paragraph.
I read the whole paragraph but I was interested in the compatibility thing. Can you explain what is the other part of the paragraph that speaks about compatibility please?
It's a summary of using EAP-TLS as a whole. Whatever you are doing to manage your system needs to be able to cope with all the cert management. If you can't easily do that, then you're going to have a hard time with EAP-TLS. Lots of devices couldn't support EAP-TLS *four years* ago. A lot has changed since then. Which is why the second part of that is a lot less relevant today, thankfully. -- Matthew
participants (4)
-
Alan Buxey -
Alan DeKok -
Matthew Newton -
Roberto Ricci