Hello, We have a Freeradius server two years long successfully providing EduRoam connectivity for our customer. Local Identity provider is Microsoft Server 2016 AD. WiFi clients are most Windows 10 clients and phones. However the customer wants to switch to Azure AD and ( in time) get rid of their Windows servers. They want to authenticate with Azure AADDS Ldaps I doubt if it is possible with (Free)Radius, I guess the combination is not in the compatibility matrix, but I’m not sure: It’s not 100% clear to me, which encryption method Azure uses for storing passwords in LDAPs. Question 1. is it possible FreeRadius for wifi-auth. with Azure AD as IP? I have set up an other EduRoam FreeRadius server anyway: What works: - ldapsearch -H ldaps.mydomain.nl -x -b “dc=mydomain,dc=nl” - radtest abba.king@mydomain <userpassword> 127.0.0.1 -1 testing123 - "Received Access-Accept" What doesnt work: - Authentication with WiFi (on windows 10 PC with native eap-peap / mschapv2 ) error: eap_mschapv2: authenticate { (8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (8) mschap: Creating challenge hash with username: abba.king@mydomain.nl (8) mschap: Client is using MS-CHAPv2 (8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (8) mschap: ERROR: MS-CHAP2-Response is incorrect (8) [mschap] = reject Did I make a mistake? Or is it not possible? Greetings and thanks for FreeRadius, Tanya
On Jun 9, 2021, at 6:24 AM, Tanya Stawicki <tanyastawicki@gmail.com> wrote:
We have a Freeradius server two years long successfully providing EduRoam connectivity for our customer. Local Identity provider is Microsoft Server 2016 AD. WiFi clients are most Windows 10 clients and phones.
However the customer wants to switch to Azure AD and ( in time) get rid of their Windows servers. They want to authenticate with Azure AADDS Ldaps
I doubt if it is possible with (Free)Radius, I guess the combination is not in the compatibility matrix, but I’m not sure: It’s not 100% clear to me, which encryption method Azure uses for storing passwords in LDAPs.
Most likely NT-Password. But you should mostly treat it like Active Directory.
Question 1. is it possible FreeRadius for wifi-auth. with Azure AD as IP?
Yes. Sometimes. Depending on the authentication method.
I have set up an other EduRoam FreeRadius server anyway:
What works:
- ldapsearch -H ldaps.mydomain.nl -x -b “dc=mydomain,dc=nl” - radtest abba.king@mydomain <userpassword> 127.0.0.1 -1 testing123 - "Received Access-Accept"
Yes. Because you're sending a clear-text password. Which FreeRADIUS sends to Azure, and Azure checks it.
What doesnt work:
- Authentication with WiFi (on windows 10 PC with native eap-peap / mschapv2 ) error:
Because Azure won't give the clear-text password or NT-Password to FreeRADIUS. So FreeRADIUS can't do the MS-CHAP calculations.
Did I make a mistake? Or is it not possible?
It's not really possible. Microsoft makes it difficult. What is possible is to set up a local Active Directory solution which syncs with Azure. Then, use Samba locally to talk to AD. Alan DeKok.
Not just when using freeradius. For almost any scenario that I have had to deal with I still needed a local windows server running active directory to use the AD connect tool with. Pure aadds doesn't really work well if you still have anything on-prem. I went with what Alan just suggested. Niels On Wed, Jun 9, 2021, 18:38 Alan DeKok, <aland@deployingradius.com> wrote:
On Jun 9, 2021, at 6:24 AM, Tanya Stawicki <tanyastawicki@gmail.com> wrote:
We have a Freeradius server two years long successfully providing EduRoam connectivity for our customer. Local Identity provider is Microsoft Server 2016 AD. WiFi clients are most Windows 10 clients and phones.
However the customer wants to switch to Azure AD and ( in time) get rid of their Windows servers. They want to authenticate with Azure AADDS Ldaps
I doubt if it is possible with (Free)Radius, I guess the combination is not in the compatibility matrix, but I’m not sure: It’s not 100% clear to me, which encryption method Azure uses for storing passwords in LDAPs.
Most likely NT-Password. But you should mostly treat it like Active Directory.
Question 1. is it possible FreeRadius for wifi-auth. with Azure AD as IP?
Yes. Sometimes. Depending on the authentication method.
I have set up an other EduRoam FreeRadius server anyway:
What works:
- ldapsearch -H ldaps.mydomain.nl -x -b “dc=mydomain,dc=nl” - radtest abba.king@mydomain <userpassword> 127.0.0.1 -1 testing123 - "Received Access-Accept"
Yes. Because you're sending a clear-text password. Which FreeRADIUS sends to Azure, and Azure checks it.
What doesnt work:
- Authentication with WiFi (on windows 10 PC with native eap-peap / mschapv2 ) error:
Because Azure won't give the clear-text password or NT-Password to FreeRADIUS. So FreeRADIUS can't do the MS-CHAP calculations.
Did I make a mistake? Or is it not possible?
It's not really possible. Microsoft makes it difficult.
What is possible is to set up a local Active Directory solution which syncs with Azure. Then, use Samba locally to talk to AD.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hello Niels,
Yeah yeah: Active Directory, but that's just what my customer wants to
get rid off
And the customers' Useraccounts ARE primary in Azure AD :-(
I now try to use a custom Windows Wifi profile for the SSID "eduroam"
with "eap-ttls / pap" in combination with:
* Freeradius with LDAPs to AAD ( and LDAP enabled in Azure AD =
100$/month :)
* Freeradius with rlm_perl to AAD with this module ( saves 100
bucks/mount) , https://github.com/jimdigriz/freeradius-oauth2-perl
With some success !!! Below some relevant radiusd -X output from the
LDAP enabled FreeRadius server:
there are changes to get it fixed without AD, I guess...
Greetings Tanya
(189) [pap] = noop
(189) } # authorize = ok
(189) Found Auth-Type = LDAP
(189) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(189) Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (13)
(189) ldap: Login attempt by "abba.king@mydomain.nl"
(189) ldap: Using user DN from request "CN=Abba King,OU=AADDC
Users,DC=mydomain,DC=nl"
(189) ldap: Waiting for bind result...
(189) ldap: Bind successful
(189) ldap: Bind as user "CN=Abba King,OU=AADDC Users,DC=mydomain,DC=nl"
was successful
rlm_ldap (ldap): Released connection (13)
Need 1 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (14), 1 of 30 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://mydomain.nl:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(189) [ldap] = ok
(189) } # Auth-Type LDAP = ok
(189) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(189) post-auth {
(189) if (0) {
(189) if (0) -> FALSE
(189) } # post-auth = noop
(189) } # server inner-tunnel
(189) Virtual server sending reply
(189) eap_ttls: Got tunneled Access-Accept
(189) eap: Sending EAP Success (code 3) ID 118 length 4
(189) eap: Freeing handler
(189) [eap] = ok
(189) } # authenticate = ok
(189) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(189) post-auth {
(189) [eap] = noop
(189) update {
(189) No attributes updated
(189) } # update = noop
(189) [exec] = noop
(189) policy remove_reply_message_if_eap {
(189) if (&reply:EAP-Message && &reply:Reply-Message) {
(189) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(189) else {
(189) [noop] = noop
(189) } # else = noop
(189) } # policy remove_reply_message_if_eap = noop
(189) } # post-auth = noop
(189) Sent Access-Accept Id 14 from 10.0.1.219:1812 to 77.250.166.241:43183
length 0
Op wo 9 jun. 2021 om 13:04 schreef Niels Tomey <niels@ixs.ph>:
> Not just when using freeradius. For almost any scenario that I have had to
> deal with I still needed a local windows server running active directory to
> use the AD connect tool with. Pure aadds doesn't really work well if you
> still have anything on-prem.
>
> I went with what Alan just suggested.
>
> Niels
>
> On Wed, Jun 9, 2021, 18:38 Alan DeKok, <aland@deployingradius.com> wrote:
>
> > On Jun 9, 2021, at 6:24 AM, Tanya Stawicki <tanyastawicki@gmail.com>
> > wrote:
> > > We have a Freeradius server two years long successfully providing
> EduRoam
> > > connectivity for our customer.
> > > Local Identity provider is Microsoft Server 2016 AD. WiFi clients are
> > > most Windows 10 clients and phones.
> > >
> > > However the customer wants to switch to Azure AD and ( in time) get
> rid
> > of
> > > their Windows servers. They want to authenticate with Azure AADDS
> Ldaps
> > >
> > > I doubt if it is possible with (Free)Radius, I guess the combination is
> > not
> > > in the compatibility matrix, but I’m not sure: It’s not 100% clear to
> > me,
> > > which encryption method Azure uses for storing passwords in LDAPs.
> >
> > Most likely NT-Password. But you should mostly treat it like Active
> > Directory.
> >
> > > Question 1. is it possible FreeRadius for wifi-auth. with Azure AD as
> > IP?
> >
> > Yes. Sometimes. Depending on the authentication method.
> >
> > > I have set up an other EduRoam FreeRadius server anyway:
> > >
> > > What works:
> > >
> > > - ldapsearch -H ldaps.mydomain.nl -x -b “dc=mydomain,dc=nl”
> > > - radtest abba.king@mydomain <userpassword> 127.0.0.1 -1 testing123
> -
> > > "Received Access-Accept"
> >
> > Yes. Because you're sending a clear-text password. Which FreeRADIUS
> > sends to Azure, and Azure checks it.
> >
> > > What doesnt work:
> > >
> > > - Authentication with WiFi (on windows 10 PC with native
> eap-peap /
> > > mschapv2 ) error:
> >
> > Because Azure won't give the clear-text password or NT-Password to
> > FreeRADIUS. So FreeRADIUS can't do the MS-CHAP calculations.
> >
> > > Did I make a mistake? Or is it not possible?
> >
> > It's not really possible. Microsoft makes it difficult.
> >
> > What is possible is to set up a local Active Directory solution which
> > syncs with Azure. Then, use Samba locally to talk to AD.
> >
> > Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Hello Alan, Thanks for you quick and clear response. You said 2 things here 1
Question 1. is it possible FreeRadius for wifi-auth. with Azure AD as IP? Yes. Sometimes. Depending on the authentication method.
Wow, a YES! now I double my efforts. 2
"Received Access-Accept" Yes. Because you're sending a clear-text password. Which FreeRADIUS sends to Azure, and Azure checks it.
Ahh clear-text works! : Well, with eap-ttls / pap passwords are send in clear-text with respect to FreeRadius. (Are they ??? Yes, I guess...) so I tried a few things. 1) still trying with LDAP but with wifi cllients using eap-ttls / pap instead of windows default : "eap-peap/mschapv2" : YES successful WiFi auth with AAD account!!! 2) leaving LDAP ( it's a 100$/month service on AAD) and trying rlm_perl with ( https://github.com/jimdigriz/freeradius-oauth2-perl ) and wifi cllients using eap-ttls / pap : YES!! successful WiFi auth with AAD account!!! Thanks, I'm making huge progression (in test environment)... Now trying it on a Real Eduroam enabled Freeradius. Greetings Tanya Op wo 9 jun. 2021 om 12:38 schreef Alan DeKok <aland@deployingradius.com>:
On Jun 9, 2021, at 6:24 AM, Tanya Stawicki <tanyastawicki@gmail.com> wrote:
We have a Freeradius server two years long successfully providing EduRoam connectivity for our customer. Local Identity provider is Microsoft Server 2016 AD. WiFi clients are most Windows 10 clients and phones.
However the customer wants to switch to Azure AD and ( in time) get rid of their Windows servers. They want to authenticate with Azure AADDS Ldaps
I doubt if it is possible with (Free)Radius, I guess the combination is not in the compatibility matrix, but I’m not sure: It’s not 100% clear to me, which encryption method Azure uses for storing passwords in LDAPs.
Most likely NT-Password. But you should mostly treat it like Active Directory.
Question 1. is it possible FreeRadius for wifi-auth. with Azure AD as IP?
Yes. Sometimes. Depending on the authentication method.
I have set up an other EduRoam FreeRadius server anyway:
What works:
- ldapsearch -H ldaps.mydomain.nl -x -b “dc=mydomain,dc=nl” - radtest abba.king@mydomain <userpassword> 127.0.0.1 -1 testing123 - "Received Access-Accept"
Yes. Because you're sending a clear-text password. Which FreeRADIUS sends to Azure, and Azure checks it.
What doesnt work:
- Authentication with WiFi (on windows 10 PC with native eap-peap / mschapv2 ) error:
Because Azure won't give the clear-text password or NT-Password to FreeRADIUS. So FreeRADIUS can't do the MS-CHAP calculations.
Did I make a mistake? Or is it not possible?
It's not really possible. Microsoft makes it difficult.
What is possible is to set up a local Active Directory solution which syncs with Azure. Then, use Samba locally to talk to AD.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Niels Tomey -
Tanya Stawicki