Freeradius, Eduroam, AzureAD ldaps authentication

Tanya Stawicki tanyastawicki at gmail.com
Wed Jun 9 15:18:46 CEST 2021 

Hello Alan,

Thanks for you quick and clear response.
You said 2 things  here


1
> Question 1.   is it possible FreeRadius for wifi-auth. with Azure AD as
IP?
  Yes.  Sometimes.  Depending on the authentication method.

Wow,  a YES!   now I double my efforts.

2
>   "Received Access-Accept"
  Yes.  Because you're sending a clear-text password.  Which FreeRADIUS
sends to Azure, and Azure checks it.

Ahh clear-text works! :  Well,   with eap-ttls / pap  passwords are send in
clear-text with respect to FreeRadius. (Are they ??? Yes, I guess...)


so I tried a few things.


1)  still trying with LDAP but with wifi cllients using   eap-ttls / pap
instead of windows default :   "eap-peap/mschapv2"  :     YES   successful
WiFi auth with AAD account!!!


2)  leaving LDAP ( it's a 100$/month service on AAD)  and trying rlm_perl
with   ( https://github.com/jimdigriz/freeradius-oauth2-perl )     and
wifi cllients using   eap-ttls / pap :      YES!!  successful WiFi auth
with AAD account!!!


Thanks,   I'm  making  huge progression  (in test environment)...  Now
trying it on a Real Eduroam enabled Freeradius.


 Greetings Tanya








Op wo 9 jun. 2021 om 12:38 schreef Alan DeKok <aland at deployingradius.com>:

> On Jun 9, 2021, at 6:24 AM, Tanya Stawicki <tanyastawicki at gmail.com>
> wrote:
> > We have a Freeradius server two years long successfully providing EduRoam
> > connectivity for our customer.
> > Local Identity provider is  Microsoft Server 2016 AD.  WiFi clients are
> > most Windows 10 clients and phones.
> >
> > However the customer wants to switch to Azure AD and ( in time)  get rid
> of
> > their Windows servers.  They want to authenticate with Azure AADDS Ldaps
> >
> > I doubt if it is possible with (Free)Radius, I guess the combination is
> not
> > in the compatibility matrix, but I’m not sure:  It’s not 100% clear to
> me,
> > which encryption method Azure uses for storing passwords in LDAPs.
>
>   Most likely NT-Password.  But you should mostly treat it like Active
> Directory.
>
> > Question 1.   is it possible FreeRadius for wifi-auth. with Azure AD as
> IP?
>
>   Yes.  Sometimes.  Depending on the authentication method.
>
> > I have set up an other EduRoam FreeRadius server anyway:
> >
> > What works:
> >
> >   - ldapsearch -H ldaps.mydomain.nl -x -b “dc=mydomain,dc=nl”
> >   - radtest abba.king at mydomain <userpassword> 127.0.0.1 -1 testing123 -
> >   "Received Access-Accept"
>
>   Yes.  Because you're sending a clear-text password.  Which FreeRADIUS
> sends to Azure, and Azure checks it.
>
> >  What doesnt work:
> >
> >   -   Authentication with WiFi  (on windows 10 PC  with native eap-peap /
> >   mschapv2 )   error:
>
>   Because Azure won't give the clear-text password or NT-Password to
> FreeRADIUS.  So FreeRADIUS can't do the MS-CHAP calculations.
>
> > Did I make a mistake?   Or is it not possible?
>
>   It's not really possible.  Microsoft makes it difficult.
>
>   What is possible is to set up a local Active Directory solution which
> syncs with Azure.  Then, use Samba locally to talk to AD.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list