问题
I have just configured FreeRadius, but I would like to authenticate users which are in an Azure AD. I know it's possible to link FreeRADIUS with an Active Directory, but I can't find anything about Azure AD.
Does anyone knows if it's possible? A possible solution could be to create an AD locally synchronized with the Azure AD, but I would like to do it directly.
回答1:
I did it with a little difficulty. John Robert Mendoza is correct but there are a few gotchas. Here are my steps:
- Add AADDS and LDAP to AAD https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap. (Secure ports as you are now open to a brute force attack.)
- Create a linux vm (I used Ubuntu) to host Freeradius in the same vnet as your AADDS
- Install freeradius 3.x with ldap
sudo apt install freeradius
sudo apt install freeradius-ldap - Configure freeradius (I will just outline the ldap to AAD configuration)
i. edit /etc/freeradius/3.0/mods-available/ldap
These are the values I changed
ldap {
server = 'yourAADDSdomain.onmicrosoft.com'
#the identity user should be a member of you AADDS admin group
identity = 'user@yourAADDSdomain.onmicrosoft.com'
password = 'yourpassword'
basedn = 'OU=AADDC Users,dc=yourAADDSdomain,dc=onmicrosoft,dc=com'
user {
filter = “(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})”
}
}
ii. edit /etc/freeradius/3.0/sites-available/default
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
if (!control:Auth-Type) {
ldap
if (ok && User-Password) {
update {
control:Auth-Type := LDAP
}
}
}
expiration
logintime
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}
Some other points:
Use radtest to test this out
use ldp.exe from a windows machine to connect to your ldap to check out what it is returning
links:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap
https://wiki.freeradius.org/guide/Getting-Started
https://medium.com/@georgijsr/freeradius-2-1-12-ubuntu-14-04-server-with-ldap-authentication-and-ldap-fail-over-6611624ff2c9
Freeradius + Openldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
http://freeradius.1045715.n5.nabble.com/guide-on-configuring-freeradius-3-LDAP-td5748776.html
回答2:
You'll have to enable secure LDAP for your managed domain in Azure AD Domain Services [1] and then configure rlm_ldap in FreeRadius [2] to use Azure AD as LDAP authentication source. You would want to restrict connections to your Azure AD IP address using access controls to block unauthorized clients from sending unsolicited LDAP search queries to your domain service and extracting sensitive user information.
References:
[1] https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap
[2] https://wiki.freeradius.org/protocol/LDAP
回答3:
i figured out, if you have your "azure ad" enabled service/host on your local network, for azure its working same as for local ad. important to understand is, that you need to enable the required service so freeradius can connect to it. and just enabling it on public ip is not recommended, better create an (ipsec) tunnel to microsoft and enable the ad service on local ip.
来源:https://stackoverflow.com/questions/40747952/freeradius-authentication-through-azure-active-directory