NTLMv2 with FreeRADIUS

Matthew Newton mcn4 at leicester.ac.uk
Wed Apr 9 15:48:33 CEST 2014


On Wed, Apr 09, 2014 at 09:33:02AM -0400, John McCarthy wrote:
> But for PCI compliance, they require that we not use NTLMv1, they require
> us to use NTLMv2. Is there any way to get FreeRADIUS to work with NTLMv2

Not possible.

But the MS-CHAP/NTLMv1 is inside a PEAP tunnel, so TLS encrypted
over the air/wire anyway.


> (or a more secure protocol for PCI compliance's sake)?

Depending on the client supplicant maybe EAP-TLS, but that's
per-machine auth, not per-user, so may not match your requirements.


> I have found the post below that basically says it isn't possible. Maybe
> you can use a flag to tell the Active Directory Domain Controller that the
> traffic is NTLMv2...but that sounded pretty sketchy to me. Does anyone else
> have any ideas?

Tell them to research what's actually viable before placing
impossible demands. But then this is PCI, so you're probably
stuffed before you even start.

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list