7.11. Block NTLM Auth against AD on MSCHAP Authentications

In certain authentication scenarios, we may want to prevent queries against the AD (NTLM) when performing authentication by credentials (MSCHAP).

Note

These requests with credentials will only be made if the ON Cores are joined to the domain, otherwise the requests should not be made.

To prevent this from happening, we can edit the radius configuration so that it rejects all requests of this type.

To do this, in the ON Core terminal that performs the authentications we must apply the following changes:

Create a new mschap module:

cp -ipr /etc/raddb/mods-available/mschap_opennac /etc/raddb/mods-available/mschap_opennac_reject

Modify the opennac_auth call in the new module:

vim /etc/raddb/mods-available/mschap_opennac_reject

In this lines we need to modify the “–auth-type” option from “mschap” to “reject”:

ntlm_auth = "/usr/bin/opennac_auth --auth-type mschap --domain %{control:Realm} --username %{%{mschap_ad_opennac:User-Name}:-00} --challenge %{%{mschap_ad_opennac:Challenge}:-00} --nt-response %{%{mschap_ad_opennac:NT-Response}:-00}"

## -->

ntlm_auth = "/usr/bin/opennac_auth --auth-type reject --domain %{control:Realm} --username %{%{mschap_ad_opennac:User-Name}:-00} --challenge %{%{mschap_ad_opennac:Challenge}:-00} --nt-response %{%{mschap_ad_opennac:NT-Response}:-00}"

Link the new module to te enabled “mschap_opennac”:

ln -sf ../mods-available/mschap_opennac_reject /etc/raddb/mods-enabled/mschap_opennac

Restart radius service:

systemctl restart radiusd

Once these changes are applied, all mschap type requests will be directly rejected without performing the authentication.

The “status message” of the requests will see the following message:

“Forced REJECT in authentication”

Note

If at any time we want to leave it as it was, we must re-edit the link of the file to “../mods-available/mschap_opennac_reject”