Re: Windows WPA

Thu, 22 Dec 2005 11:13:30 -0800

In this case, if you happen to be using Samba as your PDC with an LDAP backend, you should actually be able to use rlm_ldap to lookup the NTLM hashes from the same LDAP tree that your Samba PDC uses. Once you have those hashes, you can do MSCHAPv2 without having to use ntlm_auth. 

--Mike

Phil Mayers wrote:

Stefan Adams wrote:

Phil, thanks for the information!

"Finally you need an AD domain (not NT4) to do that."

Are you saying I actually need a Microsoft Server?  A Samba domain
control won't suffice?  Being that I have no (ZERO) Microsoft servers,
are my chances of doing machine authentication nil?
Ah, that's a different kettle of fish entirely. In this specific case I *believe* the RPC call allowing you to MSCHAP a machine account is a newer RPC, so since Samba emulates NT4 you may still find that method doesn't work.
But, if you have a samba domain controller, you can in a supported fashion extract the LM and NT hashes from your SAM, and give those to FreeRadius directly, which can then do the MSCHAP without a callout to the domain at *all*, which has obvious scalability and resilience value.
How to do this depends on what SAM backend you're using, whether the FreeRadius server runs on the same machine as the Samba DC or a different one, and of course whether your site policy permits the "risk" of moving the LM/NT hashes around, though I personally don't buy the arguments about the risk involved there.
If you're using an LDAP backend, see frequent posts about using LDAP and ways of mapping the ntPassword LDAP attribute to the NT-Password radius attribute.
If you're using smbpasswd, then a "passwd" file module can be used in FreeRadius, with the config as described in the default radiusd.conf (I believe), subject to you obviously getting the file somewhere FreeRadius can see it, and HUPing the server if/when it changes.
Other SAMs (TDB, etc.) can probably be done similarly but that's samba-specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to