NTLMv2 with FreeRADIUS
Tobias Hachmer
tobias at hachmer.de
Wed Apr 9 19:56:58 CEST 2014
On Wednesday 09 April 2014 18:46:19 Phil Mayers wrote:
> On 09/04/14 17:55, Tobias Hachmer wrote:
> > Maybe I didn't get it but why FR could not authenticate users against MS
> > AD
> > via ntlm_auth?
>
> You've misunderstood the problem.
>
> The issue is that the MSCHAPv2 bit of PEAP - the inner auth - needs
> NTLMv1 to be enabled. This is because you can turn MSCHAPv2 into an
> NTLMv1 exchange with a trivial rearrangement.
>
> FreeRADIUS *does* check MSCHAPv2 this way.
>
> NTLMv2 is however a completely different protocol. EAP clients don't
> speak it, so it's irrelevant whether Samba supports it. And there's no
> way to transform MSCHAPv2 into NTLMv2. So, you can't check MSCHAPv2
> against an NTLMv2-only DC.
Ok, it isn't working with mschapv2. But ntlmv2 would work using PAP
authentication, just call ntlm_auth with username and password, etc. ?
Regards,
Tobias Hachmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140409/a98a621d/attachment.pgp>
More information about the Freeradius-Users
mailing list