FreeRADIUS authentication through Azure Active Directory
I have just configured FreeRadius, but I would like to authenticate users which are in an Azure AD. I know it's possible to link FreeRADIUS with an Active Directory, but I can't find anything about Azure AD.
Does anyone knows if it's possible? A possible solution could be to create an AD locally synchronized with the Azure AD, but I would like to do it directly.
Answer
I did it with a little difficulty. John Robert Mendoza is correct but there are a few gotchas. Here are my steps:
- Add AADDS and LDAP to AAD https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap. (Secure ports as you are now open to a brute force attack.)
- Create a linux vm (I used Ubuntu) to host Freeradius in the same vnet as your AADDS
- Install freeradius 3.x with ldap
sudo apt install freeradius
sudo apt install freeradius-ldap - Configure freeradius (I will just outline the ldap to AAD configuration)
i. edit /etc/freeradius/3.0/mods-available/ldap
These are the values I changed
ldap {
server = 'yourAADDSdomain.onmicrosoft.com'
#the identity user should be a member of you AADDS admin group
identity = '[email protected]'
password = 'yourpassword'
basedn = 'OU=AADDC Users,dc=yourAADDSdomain,dc=onmicrosoft,dc=com'
user {
filter = “(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})”
}
}
ii. edit /etc/freeradius/3.0/sites-available/default
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
if (!control:Auth-Type) {
ldap
if (ok && User-Password) {
update {
control:Auth-Type := LDAP
}
}
}
expiration
logintime
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}
Some other points:
Use radtest to test this out
use ldp.exe from a windows machine to connect to your ldap to check out what it is returning
links:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap
https://wiki.freeradius.org/guide/Getting-Started
https://medium.com/@georgijsr/freeradius-2-1-12-ubuntu-14-04-server-with-ldap-authentication-and-ldap-fail-over-6611624ff2c9
Freeradius + Openldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
http://freeradius.1045715.n5.nabble.com/guide-on-configuring-freeradius-3-LDAP-td5748776.html