Is there a preferred method for doing EAP (from Wireless infrastructure) to Active Directory for authentication via FreeRADIUS? Or is there an alternative to EAP? It appears that NTLM is being deprecated and Samba is removing support in RedHat 5---- but NTLM seems to be the current recommended method. Thanks
On 23/11/10 15:43, JR Mayberry wrote:
Is there a preferred method for doing EAP (from Wireless infrastructure) to Active Directory for authentication via FreeRADIUS? Or is there an alternative to EAP?
Samba domain membership and callout to the "ntlm_auth" helper binary.
It appears that NTLM is being deprecated and Samba is removing support in RedHat 5
Based on what?
http://technet.microsoft.com/en-us/library/dd560653(WS.10).aspx microsoft appears to be making steps to kill NTLM as it isn't secure On Tue, 23 Nov 2010, Phil Mayers wrote:
On 23/11/10 15:43, JR Mayberry wrote:
Is there a preferred method for doing EAP (from Wireless infrastructure) to Active Directory for authentication via FreeRADIUS? Or is there an alternative to EAP?
Samba domain membership and callout to the "ntlm_auth" helper binary.
It appears that NTLM is being deprecated and Samba is removing support in RedHat 5
Based on what? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
JR Mayberry wrote:
http://technet.microsoft.com/en-us/library/dd560653(WS.10).aspx
microsoft appears to be making steps to kill NTLM as it isn't secure
Read that as "people are using it in open source products". The security issues with NTLM are well known, and haven't changed in 10 years. The alternatives offered by Microsoft do *not* have the same functionality, which is why they are deprecating NTLM. You have a choice: run your network with less than perfect protocols, or use "perfect" protocols at 100x the cost. Given that this is the *Free*RADIUS list, I think most people here have made that choice. Alan DeKok.
On 11/24/2010 06:10 PM, JR Mayberry wrote:
http://technet.microsoft.com/en-us/library/dd560653(WS.10).aspx
microsoft appears to be making steps to kill NTLM as it isn't secure
It is important to distinguish between NTLM-the-wire-protocol, and ntlm_auth, the Samba helper binary, which actually calls a NetLogon RPC function call over an schannel-protected pipe (which may for example be encrypted using the Kerberos trust relationship between the Samba server and the domain controller) The former may (eventually) be deprecated, but FreeRadius/Samba/ntlm_auth don't use it. The latter is not going anywhere, I feel sure.
participants (3)
-
Alan DeKok -
JR Mayberry -
Phil Mayers