We will primarily be authenticating Windows 7 machines (and a handful of WIndows 8 machines). Other than that, there may be some iPhones, iPads and Android phones that will connected to this wireless AP. I was just wondering if there was a way to bypass having to use ntlm and use something more secure. I don't mind using certificates as long as it will bypass having to use ntlm.
From my understanding, using EAP-TLS, I can achieve not having to use ntlm, right?
On 09/04/14 18:25, John McCarthy wrote:
We will primarily be authenticating Windows 7 machines (and a handful of WIndows 8 machines).
Other than that, there may be some iPhones, iPads and Android phones that will connected to this wireless AP.
I was just wondering if there was a way to bypass having to use ntlm and use something more secure.
See: http://deployingradius.com/documents/protocols/compatibility.html And http://deployingradius.com/documents/protocols/oracles.html You have basically three options: 1. Use MSCHAP which needs NTLMv1. As per the thread you linked, it might be possible to do this if you patch Samba, even if you have disabled NTLMv1, using the magic flag noted in the thread. 2. Use TTLS/PAP, and check passwords via Kerberos/LDAP bind. 3. Use EAP-TLS and don't use passwords.
On 09/04/14 18:38, Phil Mayers wrote:
You have basically three options:
Actually technically speaking four: 4. Patch Samba to set the MSV1_0_ALLOW_MSVCHAPV2 flag as documented toward the end of this thread: http://freeradius.1045715.n5.nabble.com/definitive-info-on-authenticating-to...
participants (2)
-
John McCarthy -
Phil Mayers