NTLMv1 security issue

Roberto Ricci robertoricci1 at msn.com
Mon Jan 21 13:59:03 CET 2019

Thank you for your help Alan.
What I’m trying to achieve is to let people connect to the WIFI network with credentials stored in our AD. The new SAMBA server for “public” access is a good idea and seems to be the only way to achieve my goal in a reasonable secure and clean way. Can you confirm this last sentence? Is this the only way to do WIFI access with AD in a secure and clean way? Are there other possibilities to do this? I read about TTLS/PAP and EAP-TLS but I know that there are compatibility problems with some devices (e.g. Windows not supporting natively and iOS incompatibilities).
Thank you for your attention.

Best regards

> Il giorno 18 gen 2019, alle ore 15:17, Alan DeKok <aland at deployingradius.com> ha scritto:
> On Jan 18, 2019, at 4:52 AM, Roberto Ricci <robertoricci1 at msn.com> wrote:
>> I'm trying to set up a FreeRADIUS server for authentication against Active Directory. I followed the guide on deployingradius.com. In order to make everything work I have to set “ntlm auth = yes” in my smb.conf. This should enable NTLMv1 protocol that is well known to be broken. I also know that there is the possibility to set “ntlm auth = mschapv2-and-ntlmv2-only” but that’s not supported on my currently running SAMBA version. So these are my questions:
>> - What are the risks that I’m taking if I leave “ntlm auth = yes” on my SAMBA server?
>  People can use ntlm_auth to talk to Samba.  ntlm_auth is insecure, so it's best to avoid it if you can.
>> - How can I avoid “ntlm auth = yes” without upgrading SAMBA?
>  Use one Samba server for "public" access.  i.e. people in your local network.  Use a different Samba server for FreeRADIUS.  And lock the second one down so that it only talks to the first Samba server && FreeRADIUS.
>> - If I decide to upgrade SAMBA and set “ntlm auth = mschapv2-and-ntlmv2-only” can I rest easy or I’m still being vulnerable in some way?
>  It's a little better, but plain MS-CHAPv2 is still somewhat insecure.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list