Want to use Radius with Azure ADDS

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Want to use Radius with Azure ADDS

Zett
Hello guys,

I have Azure ADDS and secureLDAP.
I setup freeRadius and connected to LDAP, it works so far with radtest in a normal way.
I used this for setup <https://www.nasirhafeez.com/freeradius-with-ldaps-on-azure-ad-domain-services/>.
It is PAP method with LDAP bind as user.

But actually it must be mschap, which is only working with ntlm_auth, isn’t it?

When I use:
radtest -t mschap salihzett password localhost 0 testing123
It doesn’t work.
(184) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(184) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
(184) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(184) mschap: Client is using MS-CHAPv1 with NT-Password
(184) mschap: ERROR: FAILED: No NT-Password.  Cannot perform authentication
(184) mschap: ERROR: MS-CHAP2-Response is incorrect

I found this hint <http://lists.freeradius.org/pipermail/freeradius-users/2011-November/057120.html>, but I don’t know how I need to do this for Azure ADDS. To create an user who has permissions to read the cleartext password.
Maybe there is also other ways since 2011.

Actually the way is not important, the goal is important :) So If anyone has a hint for me for using Radius with Azure ADDS, I am very thanksful.

Thanks
S.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Want to use Radius with Azure ADDS

Alan DeKok-2


> On Nov 8, 2020, at 6:49 AM, Zett <[hidden email]> wrote:
>
> Hello guys,
>
> I have Azure ADDS and secureLDAP.
> I setup freeRadius and connected to LDAP, it works so far with radtest in a normal way.
> I used this for setup <https://www.nasirhafeez.com/freeradius-with-ldaps-on-azure-ad-domain-services/>.
> It is PAP method with LDAP bind as user.
>
> But actually it must be mschap, which is only working with ntlm_auth, isn’t it?

  Yes.  Due to limitations Microsoft added to AD.

  You can configure

> When I use:
> radtest -t mschap salihzett password localhost 0 testing123
> It doesn’t work.
> (184) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
> (184) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
> (184) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
> (184) mschap: Client is using MS-CHAPv1 with NT-Password
> (184) mschap: ERROR: FAILED: No NT-Password.  Cannot perform authentication
> (184) mschap: ERROR: MS-CHAP2-Response is incorrect
>
> I found this hint <http://lists.freeradius.org/pipermail/freeradius-users/2011-November/057120.html>, but I don’t know how I need to do this for Azure ADDS. To create an user who has permissions to read the cleartext password.
> Maybe there is also other ways since 2011.
>
> Actually the way is not important, the goal is important :) So If anyone has a hint for me for using Radius with Azure ADDS, I am very thanksful.

  It's not clear that it's possible at all.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html