Freeradius, Eduroam, AzureAD ldaps authentication

Tanya Stawicki tanyastawicki at gmail.com
Wed Jun 9 16:45:12 CEST 2021 

hello Niels,

Yeah yeah:  Active Directory,   but that's just what my customer wants to
get rid off
And the customers' Useraccounts ARE primary in Azure AD :-(

I now try   to use a custom  Windows Wifi profile for the SSID "eduroam"
with  "eap-ttls / pap"   in combination with:

* Freeradius with LDAPs to AAD  ( and LDAP enabled in  Azure AD   =
100$/month :)
* Freeradius with rlm_perl  to AAD with this module ( saves 100
bucks/mount) ,  https://github.com/jimdigriz/freeradius-oauth2-perl

With some success !!!  Below some relevant  radiusd -X  output  from the
LDAP enabled FreeRadius server:


there are changes to get it fixed without AD, I guess...

Greetings Tanya


(189)       [pap] = noop
(189)     } # authorize = ok
(189)   Found Auth-Type = LDAP
(189)   # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(189)     Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (13)
(189) ldap: Login attempt by "abba.king at mydomain.nl"
(189) ldap: Using user DN from request "CN=Abba King,OU=AADDC
Users,DC=mydomain,DC=nl"
(189) ldap: Waiting for bind result...
(189) ldap: Bind successful
(189) ldap: Bind as user "CN=Abba King,OU=AADDC Users,DC=mydomain,DC=nl"
was successful
rlm_ldap (ldap): Released connection (13)
Need 1 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (14), 1 of 30 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://mydomain.nl:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(189)       [ldap] = ok
(189)     } # Auth-Type LDAP = ok
(189)   # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(189)     post-auth {
(189)       if (0) {
(189)       if (0)  -> FALSE
(189)     } # post-auth = noop
(189) } # server inner-tunnel
(189) Virtual server sending reply
(189) eap_ttls: Got tunneled Access-Accept
(189) eap: Sending EAP Success (code 3) ID 118 length 4
(189) eap: Freeing handler
(189)     [eap] = ok
(189)   } # authenticate = ok
(189) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(189)   post-auth {
(189)     [eap] = noop
(189)     update {
(189)       No attributes updated
(189)     } # update = noop
(189)     [exec] = noop
(189)     policy remove_reply_message_if_eap {
(189)       if (&reply:EAP-Message && &reply:Reply-Message) {
(189)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(189)       else {
(189)         [noop] = noop
(189)       } # else = noop
(189)     } # policy remove_reply_message_if_eap = noop
(189)   } # post-auth = noop
(189) Sent Access-Accept Id 14 from 10.0.1.219:1812 to 77.250.166.241:43183
length 0








Op wo 9 jun. 2021 om 13:04 schreef Niels Tomey <niels at ixs.ph>:

> Not just when using freeradius. For almost any scenario that I have had to
> deal with I still needed a local windows server running active directory to
> use the AD connect tool with. Pure aadds doesn't really work well if you
> still have anything on-prem.
>
> I went with what Alan just suggested.
>
> Niels
>
> On Wed, Jun 9, 2021, 18:38 Alan DeKok, <aland at deployingradius.com> wrote:
>
> > On Jun 9, 2021, at 6:24 AM, Tanya Stawicki <tanyastawicki at gmail.com>
> > wrote:
> > > We have a Freeradius server two years long successfully providing
> EduRoam
> > > connectivity for our customer.
> > > Local Identity provider is  Microsoft Server 2016 AD.  WiFi clients are
> > > most Windows 10 clients and phones.
> > >
> > > However the customer wants to switch to Azure AD and ( in time)  get
> rid
> > of
> > > their Windows servers.  They want to authenticate with Azure AADDS
> Ldaps
> > >
> > > I doubt if it is possible with (Free)Radius, I guess the combination is
> > not
> > > in the compatibility matrix, but I’m not sure:  It’s not 100% clear to
> > me,
> > > which encryption method Azure uses for storing passwords in LDAPs.
> >
> >   Most likely NT-Password.  But you should mostly treat it like Active
> > Directory.
> >
> > > Question 1.   is it possible FreeRadius for wifi-auth. with Azure AD as
> > IP?
> >
> >   Yes.  Sometimes.  Depending on the authentication method.
> >
> > > I have set up an other EduRoam FreeRadius server anyway:
> > >
> > > What works:
> > >
> > >   - ldapsearch -H ldaps.mydomain.nl -x -b “dc=mydomain,dc=nl”
> > >   - radtest abba.king at mydomain <userpassword> 127.0.0.1 -1 testing123
> -
> > >   "Received Access-Accept"
> >
> >   Yes.  Because you're sending a clear-text password.  Which FreeRADIUS
> > sends to Azure, and Azure checks it.
> >
> > >  What doesnt work:
> > >
> > >   -   Authentication with WiFi  (on windows 10 PC  with native
> eap-peap /
> > >   mschapv2 )   error:
> >
> >   Because Azure won't give the clear-text password or NT-Password to
> > FreeRADIUS.  So FreeRADIUS can't do the MS-CHAP calculations.
> >
> > > Did I make a mistake?   Or is it not possible?
> >
> >   It's not really possible.  Microsoft makes it difficult.
> >
> >   What is possible is to set up a local Active Directory solution which
> > syncs with Azure.  Then, use Samba locally to talk to AD.
> >
> >   Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list