Freeradius, Eduroam, AzureAD ldaps authentication

[Alan DeKok]

On Jun 9, 2021, at 6:24 AM, Tanya Stawicki <tanyastawicki at gmail.com> wrote:
> We have a Freeradius server two years long successfully providing EduRoam
> connectivity for our customer.
> Local Identity provider is  Microsoft Server 2016 AD.  WiFi clients are
> most Windows 10 clients and phones.
> 
> However the customer wants to switch to Azure AD and ( in time)  get rid of
> their Windows servers.  They want to authenticate with Azure AADDS Ldaps
> 
> I doubt if it is possible with (Free)Radius, I guess the combination is not
> in the compatibility matrix, but I’m not sure:  It’s not 100% clear to me,
> which encryption method Azure uses for storing passwords in LDAPs.

  Most likely NT-Password.  But you should mostly treat it like Active Directory.

> Question 1.   is it possible FreeRadius for wifi-auth. with Azure AD as IP?

  Yes.  Sometimes.  Depending on the authentication method.

> I have set up an other EduRoam FreeRadius server anyway:
> 
> What works:
> 
>   - ldapsearch -H ldaps.mydomain.nl -x -b “dc=mydomain,dc=nl”
>   - radtest abba.king at mydomain <userpassword> 127.0.0.1 -1 testing123 -
>   "Received Access-Accept"

  Yes.  Because you're sending a clear-text password.  Which FreeRADIUS sends to Azure, and Azure checks it.

>  What doesnt work:
> 
>   -   Authentication with WiFi  (on windows 10 PC  with native eap-peap /
>   mschapv2 )   error:

  Because Azure won't give the clear-text password or NT-Password to FreeRADIUS.  So FreeRADIUS can't do the MS-CHAP calculations.

> Did I make a mistake?   Or is it not possible?

  It's not really possible.  Microsoft makes it difficult.

  What is possible is to set up a local Active Directory solution which syncs with Azure.  Then, use Samba locally to talk to AD.

  Alan DeKok.