NTLMv2 with FreeRADIUS
John Douglass
john.douglass at oit.gatech.edu
Wed Apr 9 18:02:26 CEST 2014
One way that I have solved this (mind you, it's a still developing
project) is to use the proxy capabilities of Freeradius to authenticate
to AD by enabling radius on the AD.
You do lose some of the caching capabilities as defined within the
eap.conf file. It does appear that by proxying to the AD servers, the AD
server is where the encrypted tunnel for the user/pass are terminated
(please please please, correct me if I am wrong). We have the same
end/server auth cert on the AD servers that are authenticating radius as
the servers that are using ntlm_auth and are the terminating point for
that authentication and they seem to process the authentications without
client confusion.
Seems to work well for me. We only proxy the authN and then do the rest
of the processing on the freeradius server (since there is some custom
voodoo to support our scheme of wireless VLAN assignment at Georgia Tech).
I also find that the proxy failover (and be SURE to read the config
files for proxy about different methods of failover and round robin) are
better than the round-robin/failover possibilities within the Samba
configuration (smb.conf).
- John Douglass
Sr. Systems Architect
Georgia Institute of Technology
On 04/09/2014 11:48 AM, Alan DeKok wrote:
> John McCarthy wrote:
>> Thanks for your guys work on the FreeRADIUS project. It works really
>> well and was easy to setup and understand.
> I'm glad you agree. Not everyone has that opinion. :)
>
>> But for PCI compliance, they require that we not use NTLMv1, they
>> require us to use NTLMv2. Is there any way to get FreeRADIUS to work
>> with NTLMv2 (or a more secure protocol for PCI compliance's sake)?
> The protocols used make it impossible.
>
> The only way to avoid NTLMv1 is to run FreeRADIUS on the Active
> Directory machine. Unfortunately, we don't have a Windows port.
>
>> I have found the post below that basically says it isn't possible. Maybe
>> you can use a flag to tell the Active Directory Domain Controller that
>> the traffic is NTLMv2...but that sounded pretty sketchy to me. Does
>> anyone else have any ideas?
> Tell the PCI compliance people that their requirements are impossible
> in practice, due to Microsoft's implementation of Active Directory.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list