ntlm & lsa backends
This document covers the NTLM and LSA backend types, which enable integration with Windows authentication ecosystems.
| Backend | Purpose |
|---|---|
ntlm | Authenticate users via an external helper implementing NTLM challenge/response (domain or local accounts). |
lsa | Authenticate locally (or domain via local security authority) exposing group membership & contextual identity attributes. |
Both backends are typically used in environments where existing Windows account infrastructure must be reused for RADIUS / TACACS+ / HTTP-based authentication.
1. NTLM Backend
The ntlm backend delegates credential validation to an external helper
program. This offers isolation and allows reuse of platform-specific or
privileged code without embedding it directly into the main server process.
Configuration Example
backends {
ntlm "NTLM_AUTH" {
program "/usr/local/libexec/radiator/ntlm-helper";
arguments ["--mode","auth"];
processes 4;
username "radiator_svc";
domain "EXAMPLE";
}
}
Key Directives
| Directive | Required | Description |
|---|---|---|
program | Yes | Absolute path to helper binary/script. Must be executable. |
arguments [...] | No | Static array of arguments passed at helper startup. |
processes <n>; | No | Preforked helper process pool size (throughput scaling). |
username "..."; | No | Service / machine account hint (helper-dependent). |
domain "..."; | No | Windows domain hint forwarded to helper. |
statistics { ... } | No | Per-backend stats configuration (if metrics enabled). |
service_level_objective { ... } | No | Performance expectations guiding health logic. |
The helper generally implements:
- Challenge generation (for MSCHAPv2 / NTLM handshake).
- Response verification against a Windows domain controller or local SAM.
- Return of success/failure and optionally group data (if protocol supports).
Scaling
Increase processes to improve concurrency if many simultaneous authentications
occur and the helper is CPU or I/O bound. Oversizing wastes memory / context
switch time. Monitor throughput before adjusting.
Failure Modes
| Symptom | Cause | Action |
|---|---|---|
| Frequent timeouts | Helper hung or DC unreachable | Inspect helper logs / network to DC |
| High failure rate after upgrade | Helper version mismatch | Roll back or rebuild helper with compatible libraries |
| Crash loop | Bad arguments / missing binary | Verify program path & permissions |
Security Considerations
- Restrict file permissions on the helper binary (
750or tighter). - Keep helper updated with security patches.
- Limit environment variables to avoid leaking secrets.
- Validate that helper does not expose shell injection surfaces via arguments.
2. LSA Backend
The lsa backend authenticates against the local Windows Security Authority
(Lsass). It may provide group membership and other contextual attributes directly
from the local or domain-joined machine.
Configuration Example
backends {
lsa "LSA_LOCAL" {
group ["Administrators","NetworkOps"];
domain "EXAMPLE";
domain_controller "dc01.example.com";
connections 8;
}
}
Key Directives
| Directive | Required | Description |
|---|---|---|
group [ ... ]; | Yes (at least one) | Static groups to associate (augmentation baseline). |
process "name"; | No | Target process/context hint (advanced / rarely needed). |
username "..."; | No | Service context user (if needed). |
workstation "..."; | No | Workstation / host identifier hint. |
domain "..."; | No | Domain override (if machine is multi-domain or needs explicit selection). |
domain_controller "..."; | No | Preferred DC hostname. |
connections <n>; | No | Maximum parallel LSA logical sessions. |
statistics { ... } | No | Per-backend metrics configuration. |
service_level_objective { ... } | No | Latency / error budget hints. |
Behavior
- Authentication is performed locally; domain join state influences available accounts and groups.
- Static
groupentries act as guaranteed role tags; dynamic group retrieval (if implemented internally) is additive.
Performance
connections controls parallel LSA contexts. Start conservatively (4–8) and
increase only if latency or queueing appears under load.
Failure Modes
| Symptom | Cause | Action |
|---|---|---|
| Intermittent auth failures | Domain controller switching / replication delay | Specify domain_controller or review AD health |
| Slow logons | DC latency | Increase connections; profile network path |
| Missing groups | Domain trust / replication gap | Confirm group membership in AD; check dynamic mapping logic |
Mapping to AAA Pipelines
Typical handler snippet incorporating Windows-based authentication:
aaa {
policy "WIN_AUTH" {
handler "NTLM_USERS" {
authentication {
backend "NTLM_AUTH";
mschapv2;
}
authorization {
# Use static/dynamic groups populated from backend
if all {
user.group == "Administrators";
} then {
set response.reply-message = "Admin access granted";
accept;
}
accept;
}
}
}
}
For LSA:
authentication {
backend "LSA_LOCAL";
mschapv2;
}