On 09/04/14 13:38, Phil Mayers wrote:
1. Use MSCHAP which needs NTLMv1
http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOW... in the picture here, is the NTLM traffic from the FreeRADIUS server to the Active Directory server encrypted? if not, can it be?
2. Use TTLS/PAP, and check passwords via Kerberos/LDAP bind.
Is this way recommended? the part about using PAP scares me. (Clear-text password in local configuration file (PAP)) - http://wiki.freeradius.org/glossary/Authentication
On 9 Apr 2014, at 20:04, John McCarthy <midactsmystery@gmail.com> wrote:
On 09/04/14 13:38, Phil Mayers wrote:
1. Use MSCHAP which needs NTLMv1
http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOW...
in the picture here, is the NTLM traffic from the FreeRADIUS server to the Active Directory server encrypted? if not, can it be?
2. Use TTLS/PAP, and check passwords via Kerberos/LDAP bind.
Is this way recommended? the part about using PAP scares me. (Clear-text password in local configuration file (PAP)) - http://wiki.freeradius.org/glossary/Authentication
It's not in a local configuration file if it's being sent to an AD server. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 9 Apr 2014, at 20:14, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 9 Apr 2014, at 20:04, John McCarthy <midactsmystery@gmail.com> wrote:
On 09/04/14 13:38, Phil Mayers wrote:
1. Use MSCHAP which needs NTLMv1
http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOW...
in the picture here, is the NTLM traffic from the FreeRADIUS server to the Active Directory server encrypted? if not, can it be?
2. Use TTLS/PAP, and check passwords via Kerberos/LDAP bind.
Is this way recommended? the part about using PAP scares me. (Clear-text password in local configuration file (PAP)) - http://wiki.freeradius.org/glossary/Authentication
It's not in a local configuration file if it's being sent to an AD server.
Hmm do you work for a *.edu? Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 09/04/2014 20:04, John McCarthy wrote:
On 09/04/14 13:38, Phil Mayers wrote:
1. Use MSCHAP which needs NTLMv1
http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOW...
in the picture here, is the NTLM traffic from the FreeRADIUS server to the Active Directory server encrypted? if not, can it be?
That's up to Samba. The flow is: 1. FreeRADIUS calls ntlm_auth with the MSCHAP challenge/response 2. ntlm_auth passes it to winbind over a pipe 3. winbind calls an RPC on the domain controller over an SMB/RPC pipe 4. response comes back in the reverse Every time I've looked, that SMB/RPC connection has been encrypted. I believe it always will be, with modern Samba & AD. I am *reasonably* sure that the SMB/RPC pipe will use NTLMv2 or Kerberos with the Samba machine credentials, so should be secure. You can verify this trivially with wireshark.
2. Use TTLS/PAP, and check passwords via Kerberos/LDAP bind.
Is this way recommended? the part about using PAP scares me. (Clear-text
It's not a common configuration, no. Most people use PEAP/MSCHAPv2 via Samba/ntlm_auth, and do not force ntlmv2. The main reason is that, prior to Windows 8, Windows clients needed extra software for TTLS/PAP. As for PAP scaring you, I think you've misunderstood. The client establishes an encrypted tunnel with EAP-TTLS, then sends the username/password down the tunnel. FreeRADIUS verifies it somehow. There are no "files" involved.
participants (3)
-
Arran Cudbard-Bell -
John McCarthy -
Phil Mayers