[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Any updates on authenticating against Active Directory?
From: Alan DeKok <aland () deployingradius ! com>
Date: 2021-11-15 14:05:41
Message-ID: 07CBAC66-02DE-46AA-A0A0-3F940F5683EC () deployingradius ! com
[Download RAW message or body]
On Nov 15, 2021, at 8:46 AM, Boyd, Christopher <cboyd@utsystem.edu> wrote:
> We're looking at this as well, but NTLM auth has been turned off in our \
> environment.
Then MS-CHAP / PEAP-MSCHAP is impossible.
This kind of thing often comes from an absolutist view of security. "We can't do \
X, because it's insecure!". Ok then, that means many other things are now impossible \
to do. Things which you want to have.
You've got to have an informed trade-off for security. Figure out what you want \
(everything you want), and then pick the most secure option.
In this case, you could probably set up a Samba replica for AD, turn on ntlm_auth \
there, and then allow only the FreeRADIUS machine to access it. That gets you 100% \
of the functionality, with 99.9% of the security.
> There's this page that describes how to do auth with Kerberos, which may work, but \
> I have not had a chance to test it yet. https://www.anyroam.net/node/90
I really hate third-party sites which give bad advice. Don't use Kerberos. It's \
not necessary.
From the article: "you need to properly setup TTLS with PAP authentication since \
Kerberos authentication will only work with this pairing of EAP methods"
Uh... why not just use LDAP then? FreeRADIUS can do LDAP "bind as user" to AD. It \
will work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic