Wifi + Active Directory without ntlm

Клеусов Владимир Сергеевич Kleusov.Vladimir at wildberries.ru
Tue May 19 13:35:33 CEST 2020


Sum up. I can't use AD without ntlm. Because there are encrypted passwords coming from AD. Do I need Ntlm to work with encrypted passwords ?

> 14 мая 2020 г., в 19:53, Fabrice Durand <fdurand at inverse.ca> написал(а):
> 
> I did this kind of configuration a long time ago and most of the work needs to be done on the AD side.
> 
> The idea is to mimic what a Edirectory server do (universal password) and create a ldap attribute where you will store the NTHASH of the user/computer.
> 
> https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute
> 
> 
> The other way is to extract the NTHASH for each users, store it somewhere (sql per example) and configure FreeRADIUS to fetch the NTHASH based on the username.
> 
> https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
> 
> 
> Regards
> 
> Fabrice
> 
> Le 20-05-14 à 10 h 56, Клеусов Владимир Сергеевич via Freeradius-Users a écrit :
>> The idea was to link freeradius and ad via an ldap module. That is, do not install samba and windbind. To authentifizierte using the ldap module. That is, it will not work like this. Right ? So the ldap module is it for other LDAP implementations, such as openldap ?
>> 
>>> 14 мая 2020 г., в 16:40, Josef Vybíhal <josef.vybihal at gmail.com> написал(а):
>>> 
>>> Is it possible, that you mean that you just don't want to use ntlm_auth
>>> command? If yes, then read the winbind comment section in the mschap module
>>> config.
>>> # winbind_username = "%{mschap:User-Name}"
>>> # winbind_domain = "%{mschap:NT-Domain}"
>>> 
>>> or this
>>> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
>>> 
>>> On Thu, May 14, 2020 at 3:32 PM Клеусов Владимир Сергеевич via
>>> Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>> 
>>>> Ideally, I want to authenticate the domain user and if he is in the
>>>> domain, check his group. If not in the group, do not connect to wifi. Is
>>>> this possible without ntlm ?
>>>> 
>>>> 14 мая 2020 г., в 16:07, Matthew Newton <mcn at freeradius.org<mailto:
>>>> mcn at freeradius.org>> написал(а):
>>>> 
>>>> o do what? Just get policy information/groups etc, or to authenticate?
>>>> 
>>>> FreeRADIUS can use LDAP to query AD to get group information etc just
>>>> fine. However, AD won't give you a password over LDAP. So in the vast
>>>> majority of cases if you want to authenticate you need to use mschap.
>>>> 
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -- 
> Fabrice Durand
> fdurand at inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list