NTLMv2 with FreeRADIUS
Matthew Newton
mcn4 at leicester.ac.uk
Wed Apr 9 15:48:33 CEST 2014
On Wed, Apr 09, 2014 at 09:33:02AM -0400, John McCarthy wrote:
> But for PCI compliance, they require that we not use NTLMv1, they require
> us to use NTLMv2. Is there any way to get FreeRADIUS to work with NTLMv2
Not possible.
But the MS-CHAP/NTLMv1 is inside a PEAP tunnel, so TLS encrypted
over the air/wire anyway.
> (or a more secure protocol for PCI compliance's sake)?
Depending on the client supplicant maybe EAP-TLS, but that's
per-machine auth, not per-user, so may not match your requirements.
> I have found the post below that basically says it isn't possible. Maybe
> you can use a flag to tell the Active Directory Domain Controller that the
> traffic is NTLMv2...but that sounded pretty sketchy to me. Does anyone else
> have any ideas?
Tell them to research what's actually viable before placing
impossible demands. But then this is PCI, so you're probably
stuffed before you even start.
Cheers,
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list