Freeradius, Eduroam, AzureAD ldaps authentication
Tanya Stawicki
tanyastawicki at gmail.com
Wed Jun 9 15:18:46 CEST 2021
Hello Alan,
Thanks for you quick and clear response.
You said 2 things here
1
> Question 1. is it possible FreeRadius for wifi-auth. with Azure AD as
IP?
Yes. Sometimes. Depending on the authentication method.
Wow, a YES! now I double my efforts.
2
> "Received Access-Accept"
Yes. Because you're sending a clear-text password. Which FreeRADIUS
sends to Azure, and Azure checks it.
Ahh clear-text works! : Well, with eap-ttls / pap passwords are send in
clear-text with respect to FreeRadius. (Are they ??? Yes, I guess...)
so I tried a few things.
1) still trying with LDAP but with wifi cllients using eap-ttls / pap
instead of windows default : "eap-peap/mschapv2" : YES successful
WiFi auth with AAD account!!!
2) leaving LDAP ( it's a 100$/month service on AAD) and trying rlm_perl
with ( https://github.com/jimdigriz/freeradius-oauth2-perl ) and
wifi cllients using eap-ttls / pap : YES!! successful WiFi auth
with AAD account!!!
Thanks, I'm making huge progression (in test environment)... Now
trying it on a Real Eduroam enabled Freeradius.
Greetings Tanya
Op wo 9 jun. 2021 om 12:38 schreef Alan DeKok <aland at deployingradius.com>:
> On Jun 9, 2021, at 6:24 AM, Tanya Stawicki <tanyastawicki at gmail.com>
> wrote:
> > We have a Freeradius server two years long successfully providing EduRoam
> > connectivity for our customer.
> > Local Identity provider is Microsoft Server 2016 AD. WiFi clients are
> > most Windows 10 clients and phones.
> >
> > However the customer wants to switch to Azure AD and ( in time) get rid
> of
> > their Windows servers. They want to authenticate with Azure AADDS Ldaps
> >
> > I doubt if it is possible with (Free)Radius, I guess the combination is
> not
> > in the compatibility matrix, but I’m not sure: It’s not 100% clear to
> me,
> > which encryption method Azure uses for storing passwords in LDAPs.
>
> Most likely NT-Password. But you should mostly treat it like Active
> Directory.
>
> > Question 1. is it possible FreeRadius for wifi-auth. with Azure AD as
> IP?
>
> Yes. Sometimes. Depending on the authentication method.
>
> > I have set up an other EduRoam FreeRadius server anyway:
> >
> > What works:
> >
> > - ldapsearch -H ldaps.mydomain.nl -x -b “dc=mydomain,dc=nl”
> > - radtest abba.king at mydomain <userpassword> 127.0.0.1 -1 testing123 -
> > "Received Access-Accept"
>
> Yes. Because you're sending a clear-text password. Which FreeRADIUS
> sends to Azure, and Azure checks it.
>
> > What doesnt work:
> >
> > - Authentication with WiFi (on windows 10 PC with native eap-peap /
> > mschapv2 ) error:
>
> Because Azure won't give the clear-text password or NT-Password to
> FreeRADIUS. So FreeRADIUS can't do the MS-CHAP calculations.
>
> > Did I make a mistake? Or is it not possible?
>
> It's not really possible. Microsoft makes it difficult.
>
> What is possible is to set up a local Active Directory solution which
> syncs with Azure. Then, use Samba locally to talk to AD.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list