Re: EAP with FreeRadius and Azure Active Directory
Sorry original got bounced, must have been delay between subscription. Hi, I don't normally mail lists, preferring to work things out myself but I'm a bit out of my depth here and looking for some help. Required result. Ubuquiti Unifi Wireless AP's/Controller authenticating with Azure Active Directory using WPA2-Enterprise. Progress to date. Ubiquiti talking to FreeRadius - I can see requests - the message hits Radius and is passed to inner tunnel FreeRadius talking to pam, which calls pam_exec and triggers a node call to Azure. i.e. radtest passes for both ports 1812 and 18120. I feel the issue is in eap.conf, particularly where it picks up MSCHAP but I don't really understand the conf files. Is there anyway I can send a cleartext password to PAM via an EAP request? Happy to post whatever config, but really atm its just standard Ubuntu, with the following entry in users. DEFAULT Auth-Type=PAM Pam-Auth="radiusd" This will be a big use case, using freeradius to authenticate clients against Azure for wireless network access, and all work will be made public if I get it to / it can work. Thanks Graeme
On Sep 1, 2016, at 5:32 PM, Graeme Gellatly <graemeg@roof.co.nz> wrote:
Ubuquiti Unifi Wireless AP's/Controller authenticating with Azure Active Directory using WPA2-Enterprise.
See http://deployingradius.com/documents/configuration/active_directory.html
Progress to date.
Ubiquiti talking to FreeRadius - I can see requests - the message hits Radius and is passed to inner tunnel
Good.
FreeRadius talking to pam, which calls pam_exec and triggers a node call to Azure. i.e. radtest passes for both ports 1812 and 18120.
Bad. PAM is crap. Don't use it.
I feel the issue is in eap.conf, particularly where it picks up MSCHAP but I don't really understand the conf files. Is there anyway I can send a cleartext password to PAM via an EAP request?
Not for PEAP. It's impossible, because there is no clear-text password.
This will be a big use case, using freeradius to authenticate clients against Azure for wireless network access, and all work will be made public if I get it to / it can work.
Many people have done this over the years. It's complex, but not difficult. Follow my guide, and it will work. And don't use PAM. Alan DeKok.
Thanks Alan, That guide is for Active Directory, not Azure Active Directory which is very different. I was actually reading it when your mail came in. The auth workflow is oauth2 based for Azure, no NTLM. Guess I'll need to experiment with the new Domain Services feature of Azure and a VPN. There are reports of it working with other radius servers. Bit that sucks is I already had samba authenticating using oauth. Will report back, once I've had a decent crack at it. ________________________________ From: Freeradius-Users <freeradius-users-bounces+graemeg=roof.co.nz@lists.freeradius.org> on behalf of Alan DeKok <aland@deployingradius.com> Sent: Friday, 2 September 2016 9:40:08 a.m. To: FreeRadius users mailing list Subject: Re: EAP with FreeRadius and Azure Active Directory On Sep 1, 2016, at 5:32 PM, Graeme Gellatly <graemeg@roof.co.nz> wrote:
Ubuquiti Unifi Wireless AP's/Controller authenticating with Azure Active Directory using WPA2-Enterprise.
See http://deployingradius.com/documents/configuration/active_directory.html
Progress to date.
Ubiquiti talking to FreeRadius - I can see requests - the message hits Radius and is passed to inner tunnel
Good.
FreeRadius talking to pam, which calls pam_exec and triggers a node call to Azure. i.e. radtest passes for both ports 1812 and 18120.
Bad. PAM is crap. Don't use it.
I feel the issue is in eap.conf, particularly where it picks up MSCHAP but I don't really understand the conf files. Is there anyway I can send a cleartext password to PAM via an EAP request?
Not for PEAP. It's impossible, because there is no clear-text password.
This will be a big use case, using freeradius to authenticate clients against Azure for wireless network access, and all work will be made public if I get it to / it can work.
Many people have done this over the years. It's complex, but not difficult. Follow my guide, and it will work. And don't use PAM. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 1, 2016, at 6:09 PM, Graeme Gellatly <graemeg@roof.co.nz> wrote:
That guide is for Active Directory, not Azure Active Directory which is very different. I was actually reading it when your mail came in. The auth workflow is oauth2 based for Azure, no NTLM.
Then you can't use PEAP. Which means that pretty much all of the Windows systems won't be able to connect.
Guess I'll need to experiment with the new Domain Services feature of Azure and a VPN. There are reports of it working with other radius servers. Bit that sucks is I already had samba authenticating using oauth.
Will report back, once I've had a decent crack at it.
That would be good, thanks. Alan DeKok.
On 1 Sep 2016, at 23:09, Graeme Gellatly <graemeg@roof.co.nz> wrote:
Thanks Alan,
That guide is for Active Directory, not Azure Active Directory which is very different. I was actually reading it when your mail came in. The auth workflow is oauth2 based for Azure, no NTLM.
Guess I'll need to experiment with the new Domain Services feature of Azure and a VPN. There are reports of it working with other radius servers. Bit that sucks is I already had samba authenticating using oauth.
I haven’t used Azure but a quick google suggests RADIUS Authentication and Azure Multi-Factor Authentication Server. This seems to suggest you proxy the inner tunnel (MSCHAPv2) to the Azure MFA server. Doesn’t seem very secure to me proxying MSCHAPv2 across the Internet. https://azure.microsoft.com/en-gb/documentation/articles/multi-factor-authen... Regards Scott
On 2 Sep 2016, at 08:06, Scott Armitage <S.P.Armitage@lboro.ac.uk> wrote:
I haven’t used Azure but a quick google suggests RADIUS Authentication and Azure Multi-Factor Authentication Server. This seems to suggest you proxy the inner tunnel (MSCHAPv2) to the Azure MFA server. Doesn’t seem very secure to me proxying MSCHAPv2 across the Internet.
https://azure.microsoft.com/en-gb/documentation/articles/multi-factor-authen...
I can't find the code right now but it was fairly easy to write a shim that authenticated against Azure AD using OAUTH or SAML. Off the top of my head, I created a dummy native application and used C# ADAL to obtain a token or assertion using the users credentials (via TTLS/PAP) and verify the validity. FreeRADIUS just called the binary in the same way as ntlm_auth. Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
If you cannot have the password then Oauth is out. Ie peap is out. There is an option available where you proxy the RADIUS to an NPS instance in the azure system. That'd work for PEAP. Better option is use EAP-TLS. Have some web system which uses Azure Auth to generate TLS profiles then leave Azure alone for the EAP clients. Your RADIUS can Auth the TLS clients directly alan
<http://www.unav.edu/web/it/> On Fri, Sep 2, 2016 at 12:09 AM, Graeme Gellatly <graemeg@roof.co.nz> wrote:
Guess I'll need to experiment with the new Domain Services feature of Azure and a VPN. There are reports of it working with other radius servers. Bit that sucks is I already had samba authenticating using oauth.
If you already had samba authenticating using oauth, couldn't you configure freeradius to use that samba as shown on [1] ? I mean something like: freeradius --(ntlm_auth)--> samba --(oauth)--> azure AD [1] http://deployingradius.com/documents/configuration/active_directory.html authenticate with *Oscar Remírez de Ganuza Satrústegui* IT Services Universidad de Navarra Tel. +34 948425600 x803130 http://www.unav.edu/web/it/
participants (6)
-
Adam Bishop -
Alan Buxey -
Alan DeKok -
Graeme Gellatly -
Scott Armitage -
Óscar Remírez de Ganuza Satrústegui