ntlm_auth and FR
Gopal Raman
graman at nilesecure.com
Wed Jan 22 16:35:54 UTC 2025
I 'm running PEAP authentication with my Radius server running on Ubuntu
22.04 and the same box also runs Samba 4 and is configured as an AD Domain
Controller (just for testing). I want to use NTLM to do the MS-Chapv2
challenge response. I followed the Freeradius documentation that shows how
to use ntlm_auth to get the NT-KEY and it works as expected when I invoke
it like so from the bash shell
# ntlm_auth --allow-mschapv2 --request-nt-key --domain=CN.LAN
--username=nileadmin --challenge=eaea1458abf1a0b7
--nt-response=8f9ab8760a15cd40f2686c5a4c7954922ed17fb9f4cad7b3
Using the the NT-KEY the Radius server is able to complete the PEAP
handshake with the client
But what I really want is for the Radius server to run on a separate Linux
host (say RadSrv) and talk to an external DC (like a Microsoft server).
I've made RadSrv a member of the AD domain. When I run the exact same
ntlm_auth on the RadSrv host, it reports that the password is incorrect and
does not produce the NT-KEY.
My question is whether using Samba it's even possible to do what I'm
attempting. In other words should a domain member (not the DC) be able to
run ntlm_auth and achieve the same result ? I can share smb.conf and other
details on the DC and member if needed.
Thanks
Gopal Raman
More information about the Freeradius-Users
mailing list