NTLMv2 with FreeRADIUS
Phil Mayers
p.mayers at imperial.ac.uk
Wed Apr 9 19:38:46 CEST 2014
On 09/04/14 18:25, John McCarthy wrote:
> We will primarily be authenticating Windows 7 machines (and a handful of
> WIndows 8 machines).
>
> Other than that, there may be some iPhones, iPads and Android phones
> that will connected to this wireless AP.
>
> I was just wondering if there was a way to bypass having to use ntlm and
> use something more secure.
See:
http://deployingradius.com/documents/protocols/compatibility.html
And
http://deployingradius.com/documents/protocols/oracles.html
You have basically three options:
1. Use MSCHAP which needs NTLMv1. As per the thread you linked, it
might be possible to do this if you patch Samba, even if you have
disabled NTLMv1, using the magic flag noted in the thread.
2. Use TTLS/PAP, and check passwords via Kerberos/LDAP bind.
3. Use EAP-TLS and don't use passwords.
More information about the Freeradius-Users
mailing list