AD-integration working well - questions about risk/exposure and related mechanisms

Alan DeKok aland at deployingradius.com
Mon Jan 16 19:50:12 UTC 2023 

On Jan 16, 2023, at 2:32 PM, Dag B <dag at bakke.com> wrote:
> So, after some fiddling, I can now authenticate users of our network gear (network admins) with AD, via freeradius. Thank you to any and all who have made that possible. It is truly appreciated.

  Good to hear.

> Arriving here, I just wanted to ask if there is any document discussing any additional risk or exposure for the AD-accounts by doing this.

  Many sites are simply terrible.  People read confusing vendor documentation, leap to conclusions, and write "helpful" articles full of misleading nonsense.  That being said, the best summary is here:

	https://networkradius.com/articles/2022/10/25/is-ntlm-secure.html

  But... there's no reason to panic over "ntlm_auth is insecure".  Do you let random people snoop the network traffic between RADIUS and AD?  No?  Then ntlm_auth is fine.

  If you do let random people snoop traffic on the management network, then the insecurity of ntlm_auth is the least of your problems.

> Note: I am not trying to imply there is one, nor am I trying to sell five feathers as whole chicken in a bag or however that analogy goes. I am merely acknowledging my relative ignorance w.r.t. how AD and RADIUS works and what security mechanisms it has in place for preventing abuse.
> 
> From the top of my head:
> 
> - Can someone use freeradius for unlimited tries at guessing an AD password?

  Pretty much, though you can limit that manually by tracking failed authentications.

  However, the usefulness of such an attack is severely limited by the performance limitations of AD and WiFi authentication.  We've done performance tests showing AD maxes out at a few hundred auths/s.  In order to do any real dictionary attack, an attacker would need to do tens of thousands a second.

  So good news, AD is too slow to be attacked in any reasonable manner.

> - If the radius secret becomes known to a bad actor, could they set up a 'farm' of radius clients in the defined client address spaces to bypass rate limits?

  See above.  Sending more packets doesn't make AD faster.

> - And likewise, could they instrument their radius client to reveal more information than we intend to?

  No.

> - Is there a better way to define clients than defining static hosts or networks in clients.conf? (We have an IPAM with an API. Could we employ this to only permit radius requests from known (expected) radius clients?)

  Yes.  See sites-available/dynamic-clients

> And I am certain there are more questions I should be asking. Conscious Incompetence and all that jazz....

  Asking questions is good.

  Alan DeKok.

More information about the Freeradius-Users mailing list