Meeting the InCommon Assurance profile criteria using Active Directory

[Ron Thielen <>]

I don’t think we ever sufficiently addressed the issue of Radius using NTLMv1 to talk with the DC.  We address the fact that using PEAP-MS-CHAPv2 deals with the communication between the supplicant and the Radius server, but Radius servers which rely on Samba use NTLMv1 between the Radius server and a DC. 

 

When you research this you may find references to an unsupported patch for Samba that “fixes” the issue.  Apparently all the fix does is flip a bit which tells the DC “I know this is NTLMv1, but I want you treat it as NTLMv2.”  That doesn’t really address the issue.  From what I have found there is no easy fix for freeradius, steel belted radius, or others that use Samba code.

 

I think what we are left with here at my shop are three options.

 

1)      Leave NTLMv1 turned on for everyone, but tunnel all Radius AuthN traffic to the DC over a protected channel.  Since I started my monitor and mitigate program about a year ago, I have only seen a handful of non-Radius NTLMv1 authentications.  I may leave NTLMv1 turned on and continue monitor and mitigate.

2)      Move Radius to a Windows implementation.  Apparently the Windows version uses the LSAS and can then support NTLMv2.

3)      Change Radius to use a separate DC still supports NTLMv1 but uses a protected channel between the DC and Radius.  That way I can turn off NTLMv1 support on the main domain.  This has several big downsides and probably is a non-starter.  For example, all the supplicants would have to authenticate to a different domain causing havoc on the day of the change.  It would also require one more credential sync between LDAP and this new DC.

 

Am I missing something?

 

Ron

 

 

BEGIN:VCARD
VERSION:2.1
X-MS-SIGNATURE:YES
N;LANGUAGE=en-us:Thielen;Ronald;J.
FN:Ronald J. Thielen
ORG:The University of Chicago
TITLE:IT Risk Management and Compliance
TEL;WORK;VOICE:+1 (773) 702-7612
ADR;WORK;PREF;ENCODING=QUOTED-PRINTABLE:;;IT Services=0D=0A=
6045 So. Kenwood Ave.;Chicago;IL;60637-2803;United States of America
LABEL;WORK;PREF;ENCODING=QUOTED-PRINTABLE:IT Services=0D=0A=
6045 So. Kenwood Ave.=0D=0A=
Chicago, IL  60637-2803
X-MS-OL-DEFAULT-POSTAL-ADDRESS:2
URL;WORK:http://home.uchicago.edu/~rthielen
EMAIL;PREF;INTERNET:
X-MS-CARDPICTURE;TYPE=JPEG;ENCODING=BASE64:
 /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAcFBQYFBAcGBQYIBwcIChELCgkJChUPEAwRGBUa
 GRgVGBcbHichGx0lHRcYIi4iJSgpKywrGiAvMy8qMicqKyr/2wBDAQcICAoJChQLCxQqHBgc
 KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKir/wAAR
 CACUACcDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAA
 AgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkK
 FhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWG
 h4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl
 5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREA
 AgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYk
 NOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOE
 hYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk
 5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD39nCkA9TSgjBJPFQOdznH0FIx7A8CgB7z
 j+Dn3NEYyCT19aiUZIqdflTn0zQBDJ80uPTiikiGXLUUAOHGT6UlKfu/XmkoAIxlqkmO2Mj1
 4ohHNNmPIWgBEOyPPeikk4RVooAVuvFJR2oHX6UATxD5c1Afmm/GrB+SP6Cq8XLE0AJKcvj0
 opjNlifeigCTtToxyKb2qWIfyxQAkzYQD1pi/LGT60sxy4HoKCpKhV5PGaAIKKlEaLy559KK
 AFHJxUqHCjHJPNIGjPRefpQxKoSOKAEMY3ZfknsKa8hGAo20keSxJ5IFMcgufSgBFG5vmNFI
 Bk4FFAFiMfMPzomPQfjTo1+Un8Ka7LvPGSOOegoASMELn3qPCr945PoKlYny8HA4A4qGgALn
 ouFHtRTKKAL54TJ7VVA3MPerEpxGfeoU6k+goAJTwB2OTUdOk+/j04ptADKKKKALM55A9KSP
 hee5pHOWanHhPoP50AQk5JNFIetLQAyiiigCyH3EAjrSsVI5xzTU6k+gpH6gegoANinp+hph
 j9/zFNPWlDEdCRQAFGxxz9DRRvPcA/hRQBKn3G/Cmv8Afb60UUARnrS0UUAMooooA//Z

X-MS-OL-DESIGN;CHARSET=utf-8:<card xmlns="http://schemas.microsoft.com/office/outlook/12/electronicbusinesscards"; ver="1.0" layout="left" bgcolor="ffffff"><img xmlns="" align="fit" area="16" use="cardpicture"/><fld xmlns="" prop="name" align="left" dir="ltr" style="b" color="000000" size="10"/><fld xmlns="" prop="org" align="left" dir="ltr" color="000000" size="8"/><fld xmlns="" prop="title" align="left" dir="ltr" color="000000" size="8"/><fld xmlns="" prop="blank" size="8"/><fld xmlns="" prop="telwork" align="left" dir="ltr" color="000000" size="8"><label align="right" color="626262">Work</label></fld><fld xmlns="" prop="email" align="left" dir="ltr" color="000000" size="8"/><fld xmlns="" prop="addrwork" align="left" dir="ltr" color="000000" size="8"/><fld xmlns="" prop="webwork" align="left" dir="ltr" color="000000" size="8"/><fld xmlns="" prop="blank" size="8"/><fld xmlns="" prop="blank" size="8"/><fld xmlns="" prop="blank" size="8"/><fld xmlns="" prop="blank" size="8"/><fld xmlns="" prop="blank" size="8"/><fld xmlns="" prop="blank" size="8"/><fld xmlns="" prop="blank" size="8"/><fld xmlns="" prop="blank" size="8"/></card>
REV:20120725T231556Z
END:VCARD