Freeradius, Eduroam, AzureAD ldaps authentication
aland at deployingradius.com
Wed Jun 9 12:37:41 CEST 2021
On Jun 9, 2021, at 6:24 AM, Tanya Stawicki <tanyastawicki at gmail.com> wrote:
> We have a Freeradius server two years long successfully providing EduRoam
> connectivity for our customer.
> Local Identity provider is Microsoft Server 2016 AD. WiFi clients are
> most Windows 10 clients and phones.
> However the customer wants to switch to Azure AD and ( in time) get rid of
> their Windows servers. They want to authenticate with Azure AADDS Ldaps
> I doubt if it is possible with (Free)Radius, I guess the combination is not
> in the compatibility matrix, but I’m not sure: It’s not 100% clear to me,
> which encryption method Azure uses for storing passwords in LDAPs.
Most likely NT-Password. But you should mostly treat it like Active Directory.
> Question 1. is it possible FreeRadius for wifi-auth. with Azure AD as IP?
Yes. Sometimes. Depending on the authentication method.
> I have set up an other EduRoam FreeRadius server anyway:
> What works:
> - ldapsearch -H ldaps.mydomain.nl -x -b “dc=mydomain,dc=nl”
> - radtest abba.king at mydomain <userpassword> 127.0.0.1 -1 testing123 -
> "Received Access-Accept"
Yes. Because you're sending a clear-text password. Which FreeRADIUS sends to Azure, and Azure checks it.
> What doesnt work:
> - Authentication with WiFi (on windows 10 PC with native eap-peap /
> mschapv2 ) error:
Because Azure won't give the clear-text password or NT-Password to FreeRADIUS. So FreeRADIUS can't do the MS-CHAP calculations.
> Did I make a mistake? Or is it not possible?
It's not really possible. Microsoft makes it difficult.
What is possible is to set up a local Active Directory solution which syncs with Azure. Then, use Samba locally to talk to AD.
More information about the Freeradius-Users