EAP with FreeRadius and Azure Active Directory
aland at deployingradius.com
Thu Sep 1 23:40:08 CEST 2016
On Sep 1, 2016, at 5:32 PM, Graeme Gellatly <graemeg at roof.co.nz> wrote:
> Ubuquiti Unifi Wireless AP's/Controller authenticating with Azure Active Directory using WPA2-Enterprise.
> Progress to date.
> Ubiquiti talking to FreeRadius - I can see requests - the message hits Radius and is passed to inner tunnel
> FreeRadius talking to pam, which calls pam_exec and triggers a node call to Azure. i.e. radtest passes for both ports 1812 and 18120.
Bad. PAM is crap. Don't use it.
> I feel the issue is in eap.conf, particularly where it picks up MSCHAP but I don't really understand the conf files. Is there anyway I can send a cleartext password to PAM via an EAP request?
Not for PEAP. It's impossible, because there is no clear-text password.
> This will be a big use case, using freeradius to authenticate clients against Azure for wireless network access, and all work will be made public if I get it to / it can work.
Many people have done this over the years. It's complex, but not difficult. Follow my guide, and it will work.
And don't use PAM.
More information about the Freeradius-Users