NTLMv2 with FreeRADIUS
Phil Mayers
p.mayers at imperial.ac.uk
Wed Apr 9 19:46:19 CEST 2014
On 09/04/14 17:55, Tobias Hachmer wrote:
> Maybe I didn't get it but why FR could not authenticate users against MS AD
> via ntlm_auth?
You've misunderstood the problem.
The issue is that the MSCHAPv2 bit of PEAP - the inner auth - needs
NTLMv1 to be enabled. This is because you can turn MSCHAPv2 into an
NTLMv1 exchange with a trivial rearrangement.
FreeRADIUS *does* check MSCHAPv2 this way.
NTLMv2 is however a completely different protocol. EAP clients don't
speak it, so it's irrelevant whether Samba supports it. And there's no
way to transform MSCHAPv2 into NTLMv2. So, you can't check MSCHAPv2
against an NTLMv2-only DC.
As I noted in the thread originally linked to by the OP, there's a magic
flag which Samba would need to implement which allows NTLMv1 over the
netlogon RPC pipe even when it's disabled everywhere else. This is how
Microsoft NPS manages it.
Samba doesn't implement that, so no - you can't check MSCHAPv2 against
an NTLMv2-only DC with Samba.
More information about the Freeradius-Users
mailing list