ntlm_auth and FR
I 'm running PEAP authentication with my Radius server running on Ubuntu 22.04 and the same box also runs Samba 4 and is configured as an AD Domain Controller (just for testing). I want to use NTLM to do the MS-Chapv2 challenge response. I followed the Freeradius documentation that shows how to use ntlm_auth to get the NT-KEY and it works as expected when I invoke it like so from the bash shell # ntlm_auth --allow-mschapv2 --request-nt-key --domain=CN.LAN --username=nileadmin --challenge=eaea1458abf1a0b7 --nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3 Using the the NT-KEY the Radius server is able to complete the PEAP handshake with the client But what I really want is for the Radius server to run on a separate Linux host (say RadSrv) and talk to an external DC (like a Microsoft server). I've made RadSrv a member of the AD domain. When I run the exact same ntlm_auth on the RadSrv host, it reports that the password is incorrect and does not produce the NT-KEY. My question is whether using Samba it's even possible to do what I'm attempting. In other words should a domain member (not the DC) be able to run ntlm_auth and achieve the same result ? I can share smb.conf and other details on the DC and member if needed. Thanks Gopal Raman
On Jan 22, 2025, at 11:35 AM, Gopal Raman via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I 'm running PEAP authentication with my Radius server running on Ubuntu 22.04 and the same box also runs Samba 4 and is configured as an AD Domain Controller (just for testing). I want to use NTLM to do the MS-Chapv2 challenge response. I followed the Freeradius documentation that shows how to use ntlm_auth to get the NT-KEY and it works as expected when I invoke it like so from the bash shell
That's good.
But what I really want is for the Radius server to run on a separate Linux host (say RadSrv) and talk to an external DC (like a Microsoft server).
You will need a Samba system to talk to AD. FreeRADIUS then talks to Samba. The Samba system doesn't need to be the same as the FreeRADIUS system.
I've made RadSrv a member of the AD domain. When I run the exact same ntlm_auth on the RadSrv host, it reports that the password is incorrect and does not produce the NT-KEY.
That's likely a Samba configuration issue.
My question is whether using Samba it's even possible to do what I'm attempting. In other words should a domain member (not the DC) be able to run ntlm_auth and achieve the same result ?
Yes. You need to configure Samba properly for this. Alan DeKok.
participants (2)
-
Alan DeKok -
Gopal Raman