FreeRADIUS Authentication with AD Without Joining AD
pauly at hrz.uni-marburg.de
Fri Jun 18 10:39:19 CEST 2021
Am 24.05.21 um 13:58 schrieb Vertigo Altair:
> Is there any way to authenticate users with AD without joining the AD
There is a workaround, but it is not at all simple,
and does have security caveats of its own.
Technically, what _any_ MS-CHAP(v2) auth server needs ist the NTLM Hash of the password.
This is what is usually stored in a table inside the domain controller an used during authentication.
If you can put this data somewhere else (e.g.) in an LDAP Server,
FR can pull it from there and do the MS-CHAP calculations autonomously.
The NTLM Hashes are about the weakest kind of password hashes I know of.
In the above scenario, this the storage serve MUST hand out the hash to FR,
e.g. in LDAP ist MUST be readable as a normal attribute.
Contrast this to auth'ing against LDAP with e.g. EAP/TTLS-PAP. Here, the password
- is hashed with a modern algorithm, currently considered almost uncrackable when stolen.
- never leaves the LDAP server. Rather, FR does a bind-as-user with the PAP-transmitted
cleartext password, effectively using LDAP as an authentiation oracle.
If someone steals the NTLM hashes, consider your passwords gone and open.
- Assuming you do not want to give up your AD, you will need some way
to permanently synchronize these hashes. if you have e.g. a self-service
web frontend for password changes. The cleartext password provided by the user
has to be processed to NTLM hash (and perhaps others, better ones) and pushed to the
AD domain and LDAP.
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly at HRZ.Uni-Marburg.DE
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5391 bytes
Desc: S/MIME Cryptographic Signature
More information about the Freeradius-Users