EAP with FreeRadius and Azure Active Directory
graemeg at roof.co.nz
Fri Sep 2 00:09:38 CEST 2016
That guide is for Active Directory, not Azure Active Directory which is very different. I was actually reading it when your mail came in. The auth workflow is oauth2 based for Azure, no NTLM.
Guess I'll need to experiment with the new Domain Services feature of Azure and a VPN. There are reports of it working with other radius servers. Bit that sucks is I already had samba authenticating using oauth.
Will report back, once I've had a decent crack at it.
From: Freeradius-Users <freeradius-users-bounces+graemeg=roof.co.nz at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Sent: Friday, 2 September 2016 9:40:08 a.m.
To: FreeRadius users mailing list
Subject: Re: EAP with FreeRadius and Azure Active Directory
On Sep 1, 2016, at 5:32 PM, Graeme Gellatly <graemeg at roof.co.nz> wrote:
> Ubuquiti Unifi Wireless AP's/Controller authenticating with Azure Active Directory using WPA2-Enterprise.
> Progress to date.
> Ubiquiti talking to FreeRadius - I can see requests - the message hits Radius and is passed to inner tunnel
> FreeRadius talking to pam, which calls pam_exec and triggers a node call to Azure. i.e. radtest passes for both ports 1812 and 18120.
Bad. PAM is crap. Don't use it.
> I feel the issue is in eap.conf, particularly where it picks up MSCHAP but I don't really understand the conf files. Is there anyway I can send a cleartext password to PAM via an EAP request?
Not for PEAP. It's impossible, because there is no clear-text password.
> This will be a big use case, using freeradius to authenticate clients against Azure for wireless network access, and all work will be made public if I get it to / it can work.
Many people have done this over the years. It's complex, but not difficult. Follow my guide, and it will work.
And don't use PAM.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users