EAP-MSCHAPv2 and AD Authentication w/o ntlm_auth
Alan DeKok
aland at deployingradius.com
Mon Jul 10 14:28:38 UTC 2023
On Jul 10, 2023, at 10:11 AM, BOUILLOUD Corentin <cbouilloud at systra.com> wrote:
> I would like to use Kerberos instead of ntlm_auth to authenticate AD users with FreeRADIUS.
Does Kerberos support MS-CHAP? Does Kerberos supply a clear-text password to FreeRADIUS?
The answer to both of those questions is "no".
> I configured 'mschap' module to directly use winbind daemon directly and, If I understood samba documentation properly,
> winbindd can't authenticate users himself. It uses 'pam_winbind' module that we can configure to use Kerberos.
I don't think that's correct pam_winbind talks to the windbindd process. That process then talks to Samba, and then to AD. This is all documented:
https://www.samba.org/samba/docs/current/man-html/pam_winbind.8.html
pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon.
> Could you confirm me that it is correct and/or possible in another way ?
You cannot use Kerberos to authenticate MS-CHAP. It's impossible.
> https://www.samba.org/samba/docs/current/man-html/pam_winbind.8.html
> krb5_auth
> pam_winbind can authenticate using Kerberos when winbindd is talking to an Active Directory domain controller.
> Kerberos authentication must be enabled with this parameter.
That means the pam_windbind software can talk Kerberos to winbindd, which then sends the Kerberos data to AD.
It doesn't mention MS-CHAP. Because it's impossible to use Kerberos to authenticate MS-CHAP.
The mschap module documents what's possible. If you want to do MS-CHAP authentication with AD, use Samba and ntlm_auth, or winbind. As is documented in the mschap module configuration.
Alan DeKok.
More information about the Freeradius-Users
mailing list