FreeRADIUS Authentication with AD Without Joining AD
Hi! I'm trying to use FreeRADIUS with an Active Directory Server. I've read the documentations but the server that FreeRADIUS runs has to join the Active Directory as a client. Is there any way to authenticate users with AD without joining the AD server? P.S.: I'm using MSCHAP protocol.
On May 24, 2021, at 7:58 AM, Vertigo Altair <vertigo.altair@gmail.com> wrote:
I'm trying to use FreeRADIUS with an Active Directory Server. I've read the documentations but the server that FreeRADIUS runs has to join the Active Directory as a client.
Is there any way to authenticate users with AD without joining the AD server?
No.
P.S.: I'm using MSCHAP protocol.
Doubly no. If FreeRADIUS gets User-Password, then it can just do an LDAP "bind as user" to Active Directory. But for MS-CHAP, it is *required* to use Samba. Alan DeKok.
Thanks for replying.. If I understand correctly, firstly I have to use Samba and join the AD, and after that use ntlm_auth for user authentication, right? Thank you for your time. On Mon, 24 May 2021 at 15:04, Alan DeKok <aland@deployingradius.com> wrote:
On May 24, 2021, at 7:58 AM, Vertigo Altair <vertigo.altair@gmail.com> wrote:
I'm trying to use FreeRADIUS with an Active Directory Server. I've read
the
documentations but the server that FreeRADIUS runs has to join the Active Directory as a client.
Is there any way to authenticate users with AD without joining the AD server?
No.
P.S.: I'm using MSCHAP protocol.
Doubly no.
If FreeRADIUS gets User-Password, then it can just do an LDAP "bind as user" to Active Directory.
But for MS-CHAP, it is *required* to use Samba.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 24, 2021, at 8:17 AM, Vertigo Altair <vertigo.altair@gmail.com> wrote:
If I understand correctly, firstly I have to use Samba and join the AD, and after that use ntlm_auth for user authentication, right?
That is what all of the documentation says. Please just try following the documentation. It will work. Alan DeKok.
On 24.05.21 14:17, Vertigo Altair wrote:
Thanks for replying..
If I understand correctly, firstly I have to use Samba and join the AD, and after that use ntlm_auth for user authentication, right?
Thank you for your time.
On Mon, 24 May 2021 at 15:04, Alan DeKok <aland@deployingradius.com> wrote:
On May 24, 2021, at 7:58 AM, Vertigo Altair <vertigo.altair@gmail.com> wrote:
I'm trying to use FreeRADIUS with an Active Directory Server. I've read the documentations but the server that FreeRADIUS runs has to join the Active Directory as a client.
Is there any way to authenticate users with AD without joining the AD server?
See: https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HO... That is the documentation how to use AD backend from FreeRADIUS. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
Am 24.05.21 um 13:58 schrieb Vertigo Altair:
Is there any way to authenticate users with AD without joining the AD server? There is a workaround, but it is not at all simple, and does have security caveats of its own. Technically, what _any_ MS-CHAP(v2) auth server needs ist the NTLM Hash of the password. This is what is usually stored in a table inside the domain controller an used during authentication. If you can put this data somewhere else (e.g.) in an LDAP Server, FR can pull it from there and do the MS-CHAP calculations autonomously.
BUT: Caveat #1: The NTLM Hashes are about the weakest kind of password hashes I know of. In the above scenario, this the storage serve MUST hand out the hash to FR, e.g. in LDAP ist MUST be readable as a normal attribute. Contrast this to auth'ing against LDAP with e.g. EAP/TTLS-PAP. Here, the password - is hashed with a modern algorithm, currently considered almost uncrackable when stolen. - never leaves the LDAP server. Rather, FR does a bind-as-user with the PAP-transmitted cleartext password, effectively using LDAP as an authentiation oracle. If someone steals the NTLM hashes, consider your passwords gone and open. Caveat #2: - Assuming you do not want to give up your AD, you will need some way to permanently synchronize these hashes. if you have e.g. a self-service web frontend for password changes. The cleartext password provided by the user has to be processed to NTLM hash (and perhaps others, better ones) and pushed to the AD domain and LDAP. Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (4)
-
Alan DeKok -
Martin Pauly -
Michael Schwartzkopff -
Vertigo Altair