EAP-TTLS-PAP with LDAP Authentication to Azure AD Domain Services
aland at deployingradius.com
Wed Jul 10 09:12:20 CEST 2019
On Jul 9, 2019, at 5:30 PM, IP <ip.infos at gmail.com> wrote:
> I'm trying to authenticate wifi users from on-premise network with 802.1x
> Freeradius 3.0 should be configured to accept eapol request with TTLS and
> Backend is Azure AD Domain Services with LDAPS
i.e. Active Directory.
The debug output you posted had messages about Active Directory.
> From Freeradius I've been able to run test with radtest and eapol_test
> freeradius5 at freeradius5:~$ radtest -x -t pap un00.test ABCD1234 localhost 0
We don't need to see that.
When you join the list, you get sent a link to a web page saying what we do need. Please READ IT.
> root at freeradius5:~# cat eap-ttls-pap.conf
> root at freeradius5:~# ./eapol_test -c eap-ttls-pap.conf -s testing123
We don't need to see any of that, either.
Please follow the documentation. It will help fix problems more quickly.
> I see this warnings but I dont understand if they are the origin of the
> (3) ldap: WARNING: No "known good" password added. Ensure the admin user
> has permission to read the password attribute
> (3) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
> (if that is what you were trying to configure)
Active Directory does not return a password to FreeRADIUS. So FreeRADIUS can't authenticate the user.
Most LDAP servers will return a password to FreeRADIUS. Active Directory isn't entirely an LDAP server.
> The "admin" account that is configured to query the ldap belongw to the
> group AAD DC Administrator
That's nice. It doesn't make any difference.
> Need your help :-)
Read sites-available/default. Look for:
# Uncomment it if you want to use ldap for authentication
And then uncomment the block, and follow the instructions.
More information about the Freeradius-Users