FreeRADIUS authentication through Azure Active Directory

Asked 22/11, 2016 at 17:21 Answered 1/5, 2019 at 3:22

I have just configured FreeRadius, but I would like to authenticate users which are in an Azure AD. I know it's possible to link FreeRADIUS with an Active Directory, but I can't find anything about Azure AD.
Does anyone knows if it's possible? A possible solution could be to create an AD locally synchronized with the Azure AD, but I would like to do it directly.

Prophesy answered 22/11, 2016 at 17:21 Comment(2)

I am also looking for a freeradius solution with azure ad. Reading this thread I think it should be possible... – Schroth 24/5, 2017 at 13:0

Here is an explanation how to do it with typical Active Directory but thats NOT the same as AzureAD! – Schroth 24/5, 2017 at 13:7

I did it with a little difficulty. John Robert Mendoza is correct but there are a few gotchas. Here are my steps:

Add AADDS and LDAP to AAD https://learn.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap. (Secure ports as you are now open to a brute force attack.)
Create a linux vm (I used Ubuntu) to host Freeradius in the same vnet as your AADDS
Install freeradius 3.x with ldap
sudo apt install freeradius
sudo apt install freeradius-ldap
Configure freeradius (I will just outline the ldap to AAD configuration)
i. edit /etc/freeradius/3.0/mods-available/ldap

These are the values I changed

    ldap {
        server = 'yourAADDSdomain.onmicrosoft.com'
        #the identity user should be a member of you AADDS admin group
        identity = '[email protected]' 
        password = 'yourpassword'
        basedn = 'OU=AADDC Users,dc=yourAADDSdomain,dc=onmicrosoft,dc=com'
        user {
           filter = “(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})”
        }
    }

ii. edit /etc/freeradius/3.0/sites-available/default

server default {
    listen {
        type = auth
        ipaddr = *
        port = 0
        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
    }
    listen {
        ipaddr = *
        port = 0
        type = acct
        limit {
        }
    }
    authorize {
         if (!control:Auth-Type) {
              ldap
              if (ok && User-Password) {
                      update {
                      control:Auth-Type := LDAP
                      }
              }
        }
        expiration
        logintime
    }
    authenticate {
        Auth-Type LDAP {
               ldap
        }
    }
    preacct {
        preprocess
        acct_unique
    }
    accounting {
        detail
        unix
        radutmp
        exec
        attr_filter.accounting_response
    }
    session {
        radutmp
    }
    post-auth {
        exec
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
    } 
    pre-proxy {
    }
    post-proxy {
        eap
    }
}

Some other points:
Use radtest to test this out
use ldp.exe from a windows machine to connect to your ldap to check out what it is returning

links:
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap
https://wiki.freeradius.org/guide/Getting-Started
https://medium.com/@georgijsr/freeradius-2-1-12-ubuntu-14-04-server-with-ldap-authentication-and-ldap-fail-over-6611624ff2c9
Freeradius + Openldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
http://freeradius.1045715.n5.nabble.com/guide-on-configuring-freeradius-3-LDAP-td5748776.html

Encephalogram answered 1/5, 2019 at 3:22 Comment(3)

That ldap module config is not accepted by my Freeradius install. Syntax error: Expected comma after '': “(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})”. Ldap module config: gist.github.com/aidanbritnell/36f803ac52de7345173506ec0dc4da25 – Bourse 19/7, 2019 at 19:40

My apologies for the confusion, I only posted the values I changed. I posted my full ldap config: gist.github.com/changchup/325c28721f11e7e5a06e5bb06dab01ca – Encephalogram 20/7, 2019 at 4:3

Thanks Hamish, it was just a problem with encoding my ldap text file! – Bourse 22/7, 2019 at 13:51

You'll have to enable secure LDAP for your managed domain in Azure AD Domain Services [1] and then configure rlm_ldap in FreeRadius [2] to use Azure AD as LDAP authentication source. You would want to restrict connections to your Azure AD IP address using access controls to block unauthorized clients from sending unsolicited LDAP search queries to your domain service and extracting sensitive user information.

References:

[1] https://learn.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap

[2] https://wiki.freeradius.org/protocol/LDAP

Piecemeal answered 16/3, 2018 at 8:12 Comment(0)

i figured out, if you have your "azure ad" enabled service/host on your local network, for azure its working same as for local ad. important to understand is, that you need to enable the required service so freeradius can connect to it. and just enabling it on public ip is not recommended, better create an (ipsec) tunnel to microsoft and enable the ad service on local ip.

Schroth answered 12/7, 2017 at 12:52 Comment(0)

Recommended topics

Hot tags