How "bind as user" mode works?
Alan DeKok
aland at deployingradius.com
Wed Aug 16 17:03:28 UTC 2023
On Aug 16, 2023, at 12:45 PM, Rodrigo Abrantes Antunes <rodrigoantunes at pelotas.ifsul.edu.br> wrote:
> I have followed this guide and it works with radtest but not with wifi.
See the debug output. It will be VERY DESCRIPTIVE.
It will even mention active directory.
> https://www.nasirhafeez.com/freeradius-with-ldaps-on-azure-ad-domain-services/
>
> Do I need to have access to the user password in active directory to allow wifi authentication with freeradius?
Yes. But it's not about "wifi" as such. It's about the authentication method used. In this case, probably PEAP/MS-CHAPv2.
> I don't have this access and I thought the "bind as user" mode would solve this (bind with the logging in user, just like ldapsearch) but I think it is not what I thought.
"bind as user" only works if FreeRADIUS gets a User-Password attribute.
> How can achieve that? Am I restricted to mschap?
You can't use MS-CHAP with AD. You need Samba and ntlm_auth as an intermediary.
See http://deployingradius.com/documents/configuration/active_directory.html
I don't know about AD in the cloud... that's a whole other story.
If the WiFi configuration uses TTLS + PAP, then "bind as user" will work.
Alan DeKok.
More information about the Freeradius-Users
mailing list