NTLMv1 security issue

Roberto Ricci robertoricci1 at msn.com
Mon Jan 21 22:26:43 CET 2019

Thank you Alan.
On this page, on the third post, Matthew Newton says: "With EAP-TLS you might also have problems getting iPads and similar mobile devices on entirely and many just won't do EAP-TLS, so you're probably laptops only in the majority of cases.”.
I googled this and found confirms. That’s why I said that EAP-TLS could have some compatibility issues. Is that wrong?
Have a nice day. 

> Il giorno 21 gen 2019, alle ore 20:27, Alan Buxey <alan.buxey at gmail.com> ha scritto:
> From the top of my head I can't think of any common platforms that do EAP
> (WPA/WPA2 enterprise or 802.1X ) and can't do EAP-TLS
> alan
> On Mon, 21 Jan 2019, 12:59 Roberto Ricci <robertoricci1 at msn.com wrote:
>> Thank you for your help Alan.
>> What I’m trying to achieve is to let people connect to the WIFI network
>> with credentials stored in our AD. The new SAMBA server for “public” access
>> is a good idea and seems to be the only way to achieve my goal in a
>> reasonable secure and clean way. Can you confirm this last sentence? Is
>> this the only way to do WIFI access with AD in a secure and clean way? Are
>> there other possibilities to do this? I read about TTLS/PAP and EAP-TLS but
>> I know that there are compatibility problems with some devices (e.g.
>> Windows not supporting natively and iOS incompatibilities).
>> Thank you for your attention.
>> Best regards
>>> Il giorno 18 gen 2019, alle ore 15:17, Alan DeKok <
>> aland at deployingradius.com> ha scritto:
>>> On Jan 18, 2019, at 4:52 AM, Roberto Ricci <robertoricci1 at msn.com>
>> wrote:
>>>> I'm trying to set up a FreeRADIUS server for authentication against
>> Active Directory. I followed the guide on deployingradius.com. In order
>> to make everything work I have to set “ntlm auth = yes” in my smb.conf.
>> This should enable NTLMv1 protocol that is well known to be broken. I also
>> know that there is the possibility to set “ntlm auth =
>> mschapv2-and-ntlmv2-only” but that’s not supported on my currently running
>> SAMBA version. So these are my questions:
>>>> - What are the risks that I’m taking if I leave “ntlm auth = yes” on my
>> SAMBA server?
>>> People can use ntlm_auth to talk to Samba.  ntlm_auth is insecure, so
>> it's best to avoid it if you can.
>>>> - How can I avoid “ntlm auth = yes” without upgrading SAMBA?
>>> Use one Samba server for "public" access.  i.e. people in your local
>> network.  Use a different Samba server for FreeRADIUS.  And lock the second
>> one down so that it only talks to the first Samba server && FreeRADIUS.
>>>> - If I decide to upgrade SAMBA and set “ntlm auth =
>> mschapv2-and-ntlmv2-only” can I rest easy or I’m still being vulnerable in
>> some way?
>>> It's a little better, but plain MS-CHAPv2 is still somewhat insecure.
>>>  Alan DeKok.
>>> -
>>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list