definitive info on authenticating to AD via NTLMv2

Alex Sharaz alex.sharaz at york.ac.uk
Tue Mar 26 16:50:47 CET 2013


On 26 Mar 2013, at 15:00, Phil Mayers <p.mayers at IMPERIAL.AC.UK> wrote:

> On 26/03/2013 14:21, Alex Sharaz wrote:
>> Hi., I've been running ntlm_auth to authenticate our 802.1x users
>> against AD for a number of months without problems…… until this
>> morning when our Systems group tightened up auth requirements to only
>> use NTLMv2. and my ntlm_auth module started failing
> 
> As Alan says - you're hosed. They will need to rollback the change if you want Samba/ntlm_auth to continue working.
> 
>> All the web stuff I've found doesn;t seem to mention v2 at all. Back
>> in the dim and distant past I got round the ntlm v2 issue when using
>> OSC Radiator by proxying off auths to Radiator running on a windows
>> machine bound to AD and using their AuthBy LSA authentication
>> mechanism.
> 
> When you say "windows machine", do you mean "ordinary domain member" as opposed to "domain controller"?

Yup.

From the Radiator manual

This module provides authentication against user passwords in any Windows Active Directory or NT Domain Controller, by using the Windows LSA (Local Security Authority). Since it accesses LSA directly, it can authenticate dialup or wireless pass- words with PAP, CHAP, MSCHAP, MSCHAPV2, LEAP and PEAP.

AuthBy LSA is only available on Windows 2000, 2003, 2008 and XP. (Windows XP Home edition is not supported). It requires the Win32-Lsa perl module from Open Sys- tem Consultants. Install the Win32-Lsa perl module using PPM and ActivePerl 5.6, 5.8, 5,10 or 5.12 like this:

ppm install http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd
To use AuthBy LSA, Radiator must be run on Windows as a user that has the ‘Act as part of the operating system’ security policy (SE_TCB_PRIVILEGE) enabled. This is not possible with Windows XP Home edition.

Hint: Users can only be authenticated with AuthBy LSA if they have the ’Access this computer from the network’ security policy enabled (this is the normal configuration for Windows Domains). AuthBy LSA honours the Logon Hours, Workstation Restrictions and ‘Account is Disabled’ flags in user accounts.

Hint: CHAP passwords can only be authenticated if the user has the ‘Store password using reversible encryption’ option enabled in their Windows Account.

Hint: See goodies/lsa.cfg and goodies/lsa_eap_peap.cfg for examples on how to config- ure Radiator to authenticate PAP, CHAP, MSCHAP, MSCHAPV2, LEAP and PEAP against Windows user passwords.

Hint: If you are running Radiator on unix or Linux, and wish to authenticate to Win- dows Active Directory or to a Windows Domain Controller, see “<AuthBy NTLM>” on page 223. 


I ran a 2 tier radius service. Tier1 ran radiator on  linux with a back end mysql databases. All 802.1x and macauth stuff ran against mysql.  Visiting eduroam users got proxied off to a part of "eduroam" front ends that proxied them off to remote home sites and processed inbound local user auths. When I started rolling out dot1x for our staff/student images I just added another proxy server with radiator that ran on  a windows box and passed back an Access-Accept/Access-Reject response to the "tier 1" radius servers.
> 
> If so, this is interesting. It suggests that MSCHAP can still be checked with NTLMv2 enforced, just not via whatever API Samba/ntlm_auth uses.
> 
> You should ask on the Samba lists - if a windows domain member can do it, there must be a newer API/RPC which Samba could implement.
> 
> It is possible, though unlikely IMO, that one of the other ntlm_auth modes, such as
> 
> --helper-protocol=ntlm-server-1
> 
> ...use different RPCs, and may work. If you can, try and get a valid challenge/response pair, and then drive ntlm_auth using the ntlm-server-1 protocol (see "man ntlm_auth"). If that works, it would be possible in theory to use a wrapper script. But IIRC, it's the same code path, so Samba fixes will be needed.
> 
> The other "option" (yuck) is to run NPS (or Radiator) on a Windows server, and proxy your MSCHAP to that. But if other RADIUS servers have the ability to work with NTLMv2 enforced, it would be nice to get it with FR too.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130326/e91ce9ae/attachment-0001.html>


More information about the Freeradius-Users mailing list