EAP with FreeRadius and Azure Active Directory

Adam Bishop Adam.Bishop at jisc.ac.uk
Fri Sep 2 09:51:32 CEST 2016


On 2 Sep 2016, at 08:06, Scott Armitage <S.P.Armitage at lboro.ac.uk> wrote:
> I haven’t used Azure but a quick google suggests RADIUS Authentication and Azure Multi-Factor Authentication Server.  This seems to suggest you proxy the inner tunnel (MSCHAPv2) to the Azure MFA server.  Doesn’t seem very secure to me proxying MSCHAPv2 across the Internet.
> 
> https://azure.microsoft.com/en-gb/documentation/articles/multi-factor-authentication-get-started-server-radius/

I can't find the code right now but it was fairly easy to write a shim that authenticated against Azure AD using OAUTH or SAML.

Off the top of my head, I created a dummy native application and used C# ADAL to obtain a token or assertion using the users credentials (via TTLS/PAP) and verify the validity.

FreeRADIUS just called the binary in the same way as ntlm_auth.

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  



More information about the Freeradius-Users mailing list