EAP-TTLS-PAP with LDAP Authentication to Azure AD Domain Services

Alan DeKok aland at deployingradius.com
Wed Jul 10 09:12:20 CEST 2019

On Jul 9, 2019, at 5:30 PM, IP <ip.infos at gmail.com> wrote:
> I'm trying to authenticate wifi users from on-premise network with 802.1x
> Freeradius 3.0 should be configured to accept eapol request with TTLS and
> Backend is Azure AD Domain Services with LDAPS

  i.e. Active Directory.

  The debug output you posted had messages about Active Directory.

> From Freeradius I've been able to run test with radtest and eapol_test
> freeradius5 at freeradius5:~$ radtest -x -t pap un00.test ABCD1234 localhost 0
> testing123

  We don't need to see that.

  When you join the list, you get sent a link to a web page saying what we do need.  Please READ IT.


> root at freeradius5:~# cat eap-ttls-pap.conf
> root at freeradius5:~# ./eapol_test -c eap-ttls-pap.conf -s testing123

  We don't need to see any of that, either.

  Please follow the documentation.  It will help fix problems more quickly.

> I see this warnings but I dont understand if they are the origin of the
> issue
> (3) ldap: WARNING: No "known good" password added. Ensure the admin user
> has permission to read the password attribute
> (3) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
> (if that is what you were trying to configure)

  Active Directory does not return a password to FreeRADIUS.  So FreeRADIUS can't authenticate the user.

  Most LDAP servers will return a password to FreeRADIUS.  Active Directory isn't entirely an LDAP server.

> The "admin" account that is configured to query the ldap belongw to the
> group AAD DC Administrator

  That's nice.  It doesn't make any difference.

> Need your help :-)

 Read sites-available/default.  Look for:

	#  Uncomment it if you want to use ldap for authentication

  And then uncomment the block, and follow the instructions.

  Alan DeKok.

More information about the Freeradius-Users mailing list