On Jul 9, 2019, at 5:30 PM, IP <ip.infos@gmail.com> wrote:
I'm trying to authenticate wifi users from on-premise network with 802.1x Freeradius 3.0 should be configured to accept eapol request with TTLS and PAP Backend is Azure AD Domain Services with LDAPS
i.e. Active Directory. The debug output you posted had messages about Active Directory.
From Freeradius I've been able to run test with radtest and eapol_test
freeradius5@freeradius5:~$ radtest -x -t pap un00.test ABCD1234 localhost 0 testing123
We don't need to see that. When you join the list, you get sent a link to a web page saying what we do need. Please READ IT. http://wiki.freeradius.org/list-help
root@freeradius5:~# cat eap-ttls-pap.conf ... root@freeradius5:~# ./eapol_test -c eap-ttls-pap.conf -s testing123
We don't need to see any of that, either. Please follow the documentation. It will help fix problems more quickly.
I see this warnings but I dont understand if they are the origin of the issue
(3) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (3) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
Active Directory does not return a password to FreeRADIUS. So FreeRADIUS can't authenticate the user. Most LDAP servers will return a password to FreeRADIUS. Active Directory isn't entirely an LDAP server.
The "admin" account that is configured to query the ldap belongw to the group AAD DC Administrator
That's nice. It doesn't make any difference.
Need your help :-)
Read sites-available/default. Look for: # Uncomment it if you want to use ldap for authentication And then uncomment the block, and follow the instructions. Alan DeKok.