Connect ldaps(azure ad ds) user on wifi network with ttls/pap protocols

Alan DeKok aland at deployingradius.com
Wed Feb 15 14:49:58 UTC 2023 

On Feb 15, 2023, at 9:15 AM, Chris Nzengue - dejamobile externe <chris.nzengue at dejamobile.com> wrote:
> Before introduce my issue, I would like to thank you for your help and the time you will spend for helping me .

  Rumors to the contrary, we are here to help.

> What i am trying to do: i am trying to connect users who are registry on an ldaps to access at the wifi network. The ldaps is an azure ad ds. i am also trying to use ttls/pap protocol.

  That should be fine.

> Why i am trying to do it?: I want do it because i want secure the wifi network and not use a single keyword. i don't want also oblige users to know a new password and id . I want they use the same password and id.    i decided to use ttls protocole  because i don't want have to manage a certificate server.  For the pap protocol part, it is just because i saw this procotol can handle every cases.

  Yes.

> What i expect the server to do?: i expect the server check on the ldaps if the id and the password received by the acces point are right.  If the id and the password are right then the user join the network.

  Sure.  But it requires a little more configuration for it to work.

  We can't make that configuration the default, because it won't work for some people.  

> (2) ldap: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
> (2) ldap:    --> (&(objectClass=user)(sAMAccountName=chris.********))
> (2) ldap: Performing search in "ou=AADDC Users,dc=********,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.********))", scope "sub"
> (2) ldap: Waiting for search result...
> (2) ldap: User object found at DN "CN=Chris ******** - ******** externe,OU=AADDC Users,DC=********,DC=com"
> (2) ldap: Processing user attributes
> (2) ldap: control:My_Group = 'CN=SSL_VPN_SSO,OU=AADDC Users,DC=********,DC=com'
> (2) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
> (2) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)

   That's pretty clear.

> rlm_ldap (ldap): Released connection (6)
> (2)     [ldap] = updated
> (2)     if ((ok || updated) && User-Password && !control:Auth-Type) {
> (2)     if ((ok || updated) && User-Password && !control:Auth-Type)  -> FALSE
> (2)     [expiration] = noop
> (2)     [logintime] = noop
> (2)     [pap] = noop
> (2)   } # authorize = updated
> (2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

  You need to tell the server to use LDAP for authentication.

1) See the "inner-tunnel" virtual server, and look for text which says "ldap for authentication".  Uncomment that as documented.

2) edit the bottom of the "authorize" section in the "inner-tunnel" virtual server, and add:

	if (!&control:Auth-Type && &User-Password) {
		update control {
			&Auth-Type := ldap
		}
	}

  And it should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list