EAP with FreeRadius and Azure Active Directory
Adam Bishop
Adam.Bishop at jisc.ac.uk
Fri Sep 2 09:51:32 CEST 2016
On 2 Sep 2016, at 08:06, Scott Armitage <S.P.Armitage at lboro.ac.uk> wrote:
> I haven’t used Azure but a quick google suggests RADIUS Authentication and Azure Multi-Factor Authentication Server. This seems to suggest you proxy the inner tunnel (MSCHAPv2) to the Azure MFA server. Doesn’t seem very secure to me proxying MSCHAPv2 across the Internet.
>
> https://azure.microsoft.com/en-gb/documentation/articles/multi-factor-authentication-get-started-server-radius/
I can't find the code right now but it was fairly easy to write a shim that authenticated against Azure AD using OAUTH or SAML.
Off the top of my head, I created a dummy native application and used C# ADAL to obtain a token or assertion using the users credentials (via TTLS/PAP) and verify the validity.
FreeRADIUS just called the binary in the same way as ntlm_auth.
Regards,
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
More information about the Freeradius-Users
mailing list