Thanks for your guys work on the FreeRADIUS project. It works really well and was easy to setup and understand. I have a FreeRADIUS version 3.0.2 server that is used to with a Ubiquiti UAP-PRO access point using WPA2-Enterprise to authenticate Active Directory using PEAP. Everything works great and it authenticates users correctly. But for PCI compliance, they require that we not use NTLMv1, they require us to use NTLMv2. Is there any way to get FreeRADIUS to work with NTLMv2 (or a more secure protocol for PCI compliance's sake)? I have found the post below that basically says it isn't possible. Maybe you can use a flag to tell the Active Directory Domain Controller that the traffic is NTLMv2...but that sounded pretty sketchy to me. Does anyone else have any ideas? Thanks for your help! http://freeradius.1045715.n5.nabble.com/definitive-info-on-authenticating-to...
On Wed, Apr 09, 2014 at 09:33:02AM -0400, John McCarthy wrote:
But for PCI compliance, they require that we not use NTLMv1, they require us to use NTLMv2. Is there any way to get FreeRADIUS to work with NTLMv2
Not possible. But the MS-CHAP/NTLMv1 is inside a PEAP tunnel, so TLS encrypted over the air/wire anyway.
(or a more secure protocol for PCI compliance's sake)?
Depending on the client supplicant maybe EAP-TLS, but that's per-machine auth, not per-user, so may not match your requirements.
I have found the post below that basically says it isn't possible. Maybe you can use a flag to tell the Active Directory Domain Controller that the traffic is NTLMv2...but that sounded pretty sketchy to me. Does anyone else have any ideas?
Tell them to research what's actually viable before placing impossible demands. But then this is PCI, so you're probably stuffed before you even start. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 09/04/14 14:33, John McCarthy wrote:
Thanks for your guys work on the FreeRADIUS project. It works really well and was easy to setup and understand.
I have a FreeRADIUS version 3.0.2 server that is used to with a Ubiquiti UAP-PRO access point using WPA2-Enterprise to authenticate Active Directory using PEAP. Everything works great and it authenticates users correctly.
But for PCI compliance, they require that we not use NTLMv1, they require us to use NTLMv2. Is there any way to get FreeRADIUS to work with NTLMv2 (or a more secure protocol for PCI compliance's sake)?
I have found the post below that basically says it isn't possible. Maybe
That info is still current. If you re-read the thread, it should be clear, in particular my last couple of posts. As far as I'm aware, Samba still doesn't set MSV1_0_ALLOW_MSVCHAPV2, so can't execute NTLMv1 against an NTLMv2 controller.
John McCarthy wrote:
Thanks for your guys work on the FreeRADIUS project. It works really well and was easy to setup and understand.
I'm glad you agree. Not everyone has that opinion. :)
But for PCI compliance, they require that we not use NTLMv1, they require us to use NTLMv2. Is there any way to get FreeRADIUS to work with NTLMv2 (or a more secure protocol for PCI compliance's sake)?
The protocols used make it impossible. The only way to avoid NTLMv1 is to run FreeRADIUS on the Active Directory machine. Unfortunately, we don't have a Windows port.
I have found the post below that basically says it isn't possible. Maybe you can use a flag to tell the Active Directory Domain Controller that the traffic is NTLMv2...but that sounded pretty sketchy to me. Does anyone else have any ideas?
Tell the PCI compliance people that their requirements are impossible in practice, due to Microsoft's implementation of Active Directory. Alan DeKok.
One way that I have solved this (mind you, it's a still developing project) is to use the proxy capabilities of Freeradius to authenticate to AD by enabling radius on the AD. You do lose some of the caching capabilities as defined within the eap.conf file. It does appear that by proxying to the AD servers, the AD server is where the encrypted tunnel for the user/pass are terminated (please please please, correct me if I am wrong). We have the same end/server auth cert on the AD servers that are authenticating radius as the servers that are using ntlm_auth and are the terminating point for that authentication and they seem to process the authentications without client confusion. Seems to work well for me. We only proxy the authN and then do the rest of the processing on the freeradius server (since there is some custom voodoo to support our scheme of wireless VLAN assignment at Georgia Tech). I also find that the proxy failover (and be SURE to read the config files for proxy about different methods of failover and round robin) are better than the round-robin/failover possibilities within the Samba configuration (smb.conf). - John Douglass Sr. Systems Architect Georgia Institute of Technology On 04/09/2014 11:48 AM, Alan DeKok wrote:
John McCarthy wrote:
Thanks for your guys work on the FreeRADIUS project. It works really well and was easy to setup and understand. I'm glad you agree. Not everyone has that opinion. :)
But for PCI compliance, they require that we not use NTLMv1, they require us to use NTLMv2. Is there any way to get FreeRADIUS to work with NTLMv2 (or a more secure protocol for PCI compliance's sake)? The protocols used make it impossible.
The only way to avoid NTLMv1 is to run FreeRADIUS on the Active Directory machine. Unfortunately, we don't have a Windows port.
I have found the post below that basically says it isn't possible. Maybe you can use a flag to tell the Active Directory Domain Controller that the traffic is NTLMv2...but that sounded pretty sketchy to me. Does anyone else have any ideas? Tell the PCI compliance people that their requirements are impossible in practice, due to Microsoft's implementation of Active Directory.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wednesday 09 April 2014 11:48:00 Alan DeKok wrote:
But for PCI compliance, they require that we not use NTLMv1, they require us to use NTLMv2. Is there any way to get FreeRADIUS to work with NTLMv2 (or a more secure protocol for PCI compliance's sake)?
The protocols used make it impossible.
The only way to avoid NTLMv1 is to run FreeRADIUS on the Active Directory machine. Unfortunately, we don't have a Windows port.
The man page of smb.conf says that there's a global option "client NTLMv2 auth", see http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html. So, I assume samba (smbclient) supports ntlmv2. Also the man page of ntlm_auth says: ---snippet--- --nt-response=RESPONSE NT or NTLMv2 Response to the challenge (in HEXADECIMAL) ---snippet--- https://www.samba.org/samba/docs/man/manpages/ntlm_auth.1.html Maybe I didn't get it but why FR could not authenticate users against MS AD via ntlm_auth? Regards, Tobias Hachmer
On 09/04/14 17:55, Tobias Hachmer wrote:
Maybe I didn't get it but why FR could not authenticate users against MS AD via ntlm_auth?
You've misunderstood the problem. The issue is that the MSCHAPv2 bit of PEAP - the inner auth - needs NTLMv1 to be enabled. This is because you can turn MSCHAPv2 into an NTLMv1 exchange with a trivial rearrangement. FreeRADIUS *does* check MSCHAPv2 this way. NTLMv2 is however a completely different protocol. EAP clients don't speak it, so it's irrelevant whether Samba supports it. And there's no way to transform MSCHAPv2 into NTLMv2. So, you can't check MSCHAPv2 against an NTLMv2-only DC. As I noted in the thread originally linked to by the OP, there's a magic flag which Samba would need to implement which allows NTLMv1 over the netlogon RPC pipe even when it's disabled everywhere else. This is how Microsoft NPS manages it. Samba doesn't implement that, so no - you can't check MSCHAPv2 against an NTLMv2-only DC with Samba.
On Wednesday 09 April 2014 18:46:19 Phil Mayers wrote:
On 09/04/14 17:55, Tobias Hachmer wrote:
Maybe I didn't get it but why FR could not authenticate users against MS AD via ntlm_auth?
You've misunderstood the problem.
The issue is that the MSCHAPv2 bit of PEAP - the inner auth - needs NTLMv1 to be enabled. This is because you can turn MSCHAPv2 into an NTLMv1 exchange with a trivial rearrangement.
FreeRADIUS *does* check MSCHAPv2 this way.
NTLMv2 is however a completely different protocol. EAP clients don't speak it, so it's irrelevant whether Samba supports it. And there's no way to transform MSCHAPv2 into NTLMv2. So, you can't check MSCHAPv2 against an NTLMv2-only DC.
Ok, it isn't working with mschapv2. But ntlmv2 would work using PAP authentication, just call ntlm_auth with username and password, etc. ? Regards, Tobias Hachmer
On 09/04/14 18:56, Tobias Hachmer wrote:
Ok, it isn't working with mschapv2. But ntlmv2 would work using PAP authentication, just call ntlm_auth with username and password, etc. ?
Sure. But that's not remarkable - PAP is easy to authenticate via any service that takes a username & password.
participants (6)
-
Alan DeKok -
John Douglass -
John McCarthy -
Matthew Newton -
Phil Mayers -
Tobias Hachmer