FreeRADIUS Authentication with AD Without Joining AD

Martin Pauly pauly at hrz.uni-marburg.de
Fri Jun 18 10:39:19 CEST 2021 

Am 24.05.21 um 13:58 schrieb Vertigo Altair:
> Is there any way to authenticate users with AD without joining the AD
> server?
There is a workaround, but it is not at all simple,
and does have security caveats of its own.
Technically, what _any_ MS-CHAP(v2) auth server needs ist the NTLM Hash of the password.
This is what is usually stored in a table inside the domain controller an used during authentication.
If you can put this data somewhere else (e.g.) in an LDAP Server,
FR can pull it from there and do the MS-CHAP calculations autonomously.

BUT:
Caveat #1:
The NTLM Hashes are about the weakest kind of password hashes I know of.
In the above scenario, this the storage serve MUST hand out the hash to FR,
e.g. in LDAP ist MUST be readable as a normal attribute.
Contrast this to auth'ing against LDAP with e.g. EAP/TTLS-PAP. Here, the password
- is hashed with a modern algorithm, currently considered almost uncrackable when stolen.
- never leaves the LDAP server. Rather, FR does a bind-as-user with the PAP-transmitted
   cleartext password, effectively using LDAP as an authentiation oracle.

If someone steals the NTLM hashes, consider your passwords gone and open.

Caveat #2:
- Assuming you do not want to give up your AD, you will need some way
   to permanently synchronize these hashes. if you have e.g. a self-service
   web frontend for password changes. The cleartext password provided by the user
   has to be processed to NTLM hash (and perhaps others, better ones) and pushed to the
   AD domain and LDAP.

Martin

-- 
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5391 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20210618/e0833437/attachment.bin>

More information about the Freeradius-Users mailing list