[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Any updates on authenticating against Active Directory?
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2021-11-15 14:05:41
Message-ID: 07CBAC66-02DE-46AA-A0A0-3F940F5683EC () deployingradius ! com
[Download RAW message or body]

On Nov 15, 2021, at 8:46 AM, Boyd, Christopher <cboyd@utsystem.edu> wrote:
> We're looking at this as well, but NTLM auth has been turned off in our \
> environment.

  Then MS-CHAP / PEAP-MSCHAP is impossible.

  This kind of thing often comes from an absolutist view of security.  "We can't do \
X, because it's insecure!".  Ok then, that means many other things are now impossible \
to do.  Things which you want to have.

  You've got to have an informed trade-off for security.  Figure out what you want \
(everything you want), and then pick the most secure option.

  In this case, you could probably set up a Samba replica for AD, turn on ntlm_auth \
there, and then allow only the FreeRADIUS machine to access it.  That gets you 100% \
of the functionality, with 99.9% of the security.

> There's this page that describes how to do auth with Kerberos, which may work, but \
> I have not had a chance to test it yet. https://www.anyroam.net/node/90

  I really hate third-party sites which give bad advice.  Don't use Kerberos.  It's \
not necessary.

  From the article:  "you need to properly setup TTLS with PAP authentication since \
Kerberos authentication will only work with this pairing of EAP methods"

  Uh... why not just use LDAP then?  FreeRADIUS can do LDAP "bind as user" to AD.  It \
will work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]