EAP-MSCHAPv2 and AD Authentication w/o ntlm_auth

BOUILLOUD Corentin cbouilloud at systra.com
Tue Jul 11 14:00:23 UTC 2023 

Thanks for the clarification.
ntlm_auth it is then :D

-----Message d'origine-----
De : Alan DeKok <aland at deployingradius.com>
Envoyé : lundi 10 juillet 2023 16:29
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Objet : Re: EAP-MSCHAPv2 and AD Authentication w/o ntlm_auth

On Jul 10, 2023, at 10:11 AM, BOUILLOUD Corentin <cbouilloud at systra.com> wrote:
> I would like to use Kerberos instead of ntlm_auth to authenticate AD users with FreeRADIUS.

  Does Kerberos support MS-CHAP?  Does Kerberos supply a clear-text password to FreeRADIUS?

  The answer to both of those questions is "no".

> I configured 'mschap' module to directly use winbind daemon directly
> and, If I understood samba documentation properly, winbindd can't authenticate users himself. It uses 'pam_winbind' module that we can configure to use Kerberos.

  I don't think that's correct  pam_winbind talks to the windbindd process.  That process then talks to Samba, and then to AD.  This is all documented:

https://www.samba.org/samba/docs/current/man-html/pam_winbind.8.html

        pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon.

> Could you confirm me that it is correct and/or possible in another way ?

  You cannot use Kerberos to authenticate MS-CHAP.  It's impossible.

> https://www.samba.org/samba/docs/current/man-html/pam_winbind.8.html
> krb5_auth
>    pam_winbind can authenticate using Kerberos when winbindd is talking to an Active Directory domain controller.
>    Kerberos authentication must be enabled with this parameter.

  That means the pam_windbind software can talk Kerberos to winbindd, which then sends the Kerberos data to AD.

  It doesn't mention MS-CHAP.  Because it's impossible to use Kerberos to authenticate MS-CHAP.

  The mschap module documents what's possible.  If you want to do MS-CHAP authentication with AD, use Samba and ntlm_auth, or winbind.  As is documented in the mschap module configuration.

  Alan DeKok.


========================================================
This message has been scanned for malware. This message and any attachments (the "message") are confidential, intended solely for the addressees, and may contain legally privileged information. Any unauthorised use or dissemination is prohibited. E-mails are susceptible to alteration. Neither our company or any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified.
=========================================================
Ce message a ete verifie et ne contient pas de programme malveillant. Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et susceptibles de contenir des informations couvertes par le secret professionnel. Ce message est etabli a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite. Tout message electronique est susceptible d'alteration. Notre societe et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme falsifie. O
=========================================================

More information about the Freeradius-Users mailing list