EAP with FreeRadius and Azure Active Directory

Alan DeKok aland at deployingradius.com
Thu Sep 1 23:40:08 CEST 2016

On Sep 1, 2016, at 5:32 PM, Graeme Gellatly <graemeg at roof.co.nz> wrote:
> Ubuquiti Unifi Wireless AP's/Controller authenticating with Azure Active Directory using WPA2-Enterprise.

  See http://deployingradius.com/documents/configuration/active_directory.html

> Progress to date.
> Ubiquiti talking to FreeRadius - I can see requests - the message hits Radius and is passed to inner tunnel


> FreeRadius talking to pam, which calls pam_exec and triggers a node call to Azure.  i.e. radtest passes for both ports 1812 and 18120.

  Bad.  PAM is crap.  Don't use it.

> I feel the issue is in eap.conf, particularly where it picks up MSCHAP but I don't really understand the conf files.  Is there anyway I can send a cleartext password to PAM via an EAP request?

  Not for PEAP.  It's impossible, because there is no clear-text password.

> This will be a big use case, using freeradius to authenticate clients against Azure for wireless network access, and all work will be made public if I get it to / it can work.

  Many people have done this over the years.  It's complex, but not difficult.  Follow my guide, and it will work.

  And don't use PAM.

  Alan DeKok.

More information about the Freeradius-Users mailing list