Freeradius, Eduroam, AzureAD ldaps authentication
tanyastawicki at gmail.com
Wed Jun 9 15:18:46 CEST 2021
Thanks for you quick and clear response.
You said 2 things here
> Question 1. is it possible FreeRadius for wifi-auth. with Azure AD as
Yes. Sometimes. Depending on the authentication method.
Wow, a YES! now I double my efforts.
> "Received Access-Accept"
Yes. Because you're sending a clear-text password. Which FreeRADIUS
sends to Azure, and Azure checks it.
Ahh clear-text works! : Well, with eap-ttls / pap passwords are send in
clear-text with respect to FreeRadius. (Are they ??? Yes, I guess...)
so I tried a few things.
1) still trying with LDAP but with wifi cllients using eap-ttls / pap
instead of windows default : "eap-peap/mschapv2" : YES successful
WiFi auth with AAD account!!!
2) leaving LDAP ( it's a 100$/month service on AAD) and trying rlm_perl
with ( https://github.com/jimdigriz/freeradius-oauth2-perl ) and
wifi cllients using eap-ttls / pap : YES!! successful WiFi auth
with AAD account!!!
Thanks, I'm making huge progression (in test environment)... Now
trying it on a Real Eduroam enabled Freeradius.
Op wo 9 jun. 2021 om 12:38 schreef Alan DeKok <aland at deployingradius.com>:
> On Jun 9, 2021, at 6:24 AM, Tanya Stawicki <tanyastawicki at gmail.com>
> > We have a Freeradius server two years long successfully providing EduRoam
> > connectivity for our customer.
> > Local Identity provider is Microsoft Server 2016 AD. WiFi clients are
> > most Windows 10 clients and phones.
> > However the customer wants to switch to Azure AD and ( in time) get rid
> > their Windows servers. They want to authenticate with Azure AADDS Ldaps
> > I doubt if it is possible with (Free)Radius, I guess the combination is
> > in the compatibility matrix, but I’m not sure: It’s not 100% clear to
> > which encryption method Azure uses for storing passwords in LDAPs.
> Most likely NT-Password. But you should mostly treat it like Active
> > Question 1. is it possible FreeRadius for wifi-auth. with Azure AD as
> Yes. Sometimes. Depending on the authentication method.
> > I have set up an other EduRoam FreeRadius server anyway:
> > What works:
> > - ldapsearch -H ldaps.mydomain.nl -x -b “dc=mydomain,dc=nl”
> > - radtest abba.king at mydomain <userpassword> 127.0.0.1 -1 testing123 -
> > "Received Access-Accept"
> Yes. Because you're sending a clear-text password. Which FreeRADIUS
> sends to Azure, and Azure checks it.
> > What doesnt work:
> > - Authentication with WiFi (on windows 10 PC with native eap-peap /
> > mschapv2 ) error:
> Because Azure won't give the clear-text password or NT-Password to
> FreeRADIUS. So FreeRADIUS can't do the MS-CHAP calculations.
> > Did I make a mistake? Or is it not possible?
> It's not really possible. Microsoft makes it difficult.
> What is possible is to set up a local Active Directory solution which
> syncs with Azure. Then, use Samba locally to talk to AD.
> Alan DeKok.
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users