Phil Mayers p.mayers at imperial.ac.uk
Fri Nov 11 09:09:44 CET 2011

On 11/11/2011 01:29 AM, Gary Gatten wrote:
> I agree with Jake, in that I *think* it would be possible to have a
> plugin or whatever interface with LDAP/AD in the same manner
> ntlm_auth does.  I don't think one *needs* a cleartext password, but

To quote from the other email I just sent:

People wanting to do MSCHAP must have either:

  1. The NT or LM hashes
  2. The cleartext password, to generate the NT/LM hashes
  3. Access to a system which will perform the MSCHAP crypto for them 
(i.e. a domain controller, access via samba/ntlm_auth)

If you're talking about writing something that interfaces with Active 
Directory "in the same way" as ntlm_auth, you're essentially talking 
about writing a (presumably easier to setup/run than samba/ntlm_auth) 
program to do #3.

However: I will note there's no evidence that the OP was using AD. He 
could have just been using a plain LDAP server.

> does need some way to compare apples-to-apples.  That said, I don't
> know the inner workings of all the auth protocols involved here so I
> could be way off.  Something tells me if it were easy/possible, Mr.
> DeKok would have likely written the plugin by now.

As it happens, I do know the protocols and internal windows APIs, and 
did look into this a while back. It is *possible* but very tricky, and 
it's unclear to me it would be "easier" than samba/ntlm_auth. A few points:

  1. You CANNOT access the required APIs remotely; you MUST be running 
as a local process on a windows domain controller. Thankfully there are 
other APIs which a domain member can call as an RPC which proxy to these 
APIs, but you need a domain machine account to call them (this is what 
Samba/ntlm_auth does)

  2. The required APIs are very, very scantily documented

  3. The required APIs ONLY permit you to perform the MSCHAP 
calculations; they don't give you access to any password hashes.

So, basically you would end up with:

  1. A C program, which you have to compile for windows, which calls the 
internal LSA APIs to perform an MSCHAP challenge/response

  2. Which you then have to run on a windows server, which calls the RPC 
on your domain controllers (this is EXACTLY what Samba/ntlm_auth does)

  3. Some kind of authentication to secure the FreeRADIUS -> program 
network comms

I got about halfway through step 1 - the API calls were executing, but 
the call failed despite being passed a valid challenge/response. I 
assume there are some (more) undocumented API subtleties.

Given the difficulties and awkwardness of the solution, I gave up and 
concluded people should just run Samba, or if they really can't tolerate 
that, run a dumb copy of IAS/NPS and proxy the MSCHAP/EAP-MSCHAP to that.


More information about the Freeradius-Users mailing list