Windows WPA
Phil Mayers
p.mayers at imperial.ac.uk
Thu Dec 22 17:48:57 CET 2005
Stefan Adams wrote:
> Phil, thanks for the information!
>
> "Finally you need an AD domain (not NT4) to do that."
>
> Are you saying I actually need a Microsoft Server? A Samba domain
> control won't suffice? Being that I have no (ZERO) Microsoft servers,
> are my chances of doing machine authentication nil?
Ah, that's a different kettle of fish entirely. In this specific case I
*believe* the RPC call allowing you to MSCHAP a machine account is a
newer RPC, so since Samba emulates NT4 you may still find that method
doesn't work.
But, if you have a samba domain controller, you can in a supported
fashion extract the LM and NT hashes from your SAM, and give those to
FreeRadius directly, which can then do the MSCHAP without a callout to
the domain at *all*, which has obvious scalability and resilience value.
How to do this depends on what SAM backend you're using, whether the
FreeRadius server runs on the same machine as the Samba DC or a
different one, and of course whether your site policy permits the "risk"
of moving the LM/NT hashes around, though I personally don't buy the
arguments about the risk involved there.
If you're using an LDAP backend, see frequent posts about using LDAP and
ways of mapping the ntPassword LDAP attribute to the NT-Password radius
attribute.
If you're using smbpasswd, then a "passwd" file module can be used in
FreeRadius, with the config as described in the default radiusd.conf (I
believe), subject to you obviously getting the file somewhere FreeRadius
can see it, and HUPing the server if/when it changes.
Other SAMs (TDB, etc.) can probably be done similarly but that's
samba-specific.
More information about the Freeradius-Users
mailing list