I have deployed AADDS on my AzureAD domain.
I have changed passwords of users to generate the initial sync hash.
I have created a FreeRADIUS VM under Ubuntu 18.04 LTS capable of connecting through LDAP inside the ADDDS subnet with an User with "AAD DC Administrators" group.
I have setup an Ubiquiti Uni-Fi UAP nanoHD WPA2 Enterprise wireless network with a RADIUS profile to authenticate with the FreeRADIUS VM.
Testing Wi-Fi login with iPhone XR and a Windows 10 laptop.
The initial LDAP authentication to bind is successful.
User is matched succesfully on the directory.
User attributes are processed with warnings.
(2) ldap: Processing user attributes
(2) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(2) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
Authentication fails since there is not a mapped "User-Password" attribute available.
(2) [ldap] = ok
(2) if ((ok || updated) && User-Password) {
(2) if ((ok || updated) && User-Password) -> FALSE
(2) [expiration] = noop
(2) [logintime] = noop
(2) } # authorize = ok
(2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(2) Failed to authenticate the user
I have researched and tried the following.
"ntlm_auth" is not possible at the moment because of Samba limitations (only for Azure Files).
Changing the value of "dsHeuristics" in the Active Directory settings to enable "userPassword" attribute is not possible because of permissions limitations of AADDS.
***Call Modify...
ldap_modify_s(ld, 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=example,DC=com',[1] attrs);
Error: Modify: Insufficient Rights. <50>
Server error: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Error 0x2098 Insufficient access rights to perform the operation.
My settings are exactly as shown at https://stackoverflow.com/a/55931232/5163441
This person claims it works as it for him so it is finding an attribute to compare for the password.
I don't see any relevant attribute I could use for authentication.
Dn: CN=John Smith,OU=AADDC Users,DC=example,DC=com
accountExpires: 9223372036854775807 (never);
badPasswordTime: 0 (never);
badPwdCount: 0;
cn: John Smith;
codePage: 0;
countryCode: 0;
displayName: John Smith;
distinguishedName: CN=John Smith,OU=AADDC Users,DC=example,DC=com;
dSCorePropagationData (2): 8/13/2019 7:53:04 PM Coordinated Universal Time; 0x0 = ( );
instanceType: 0x4 = ( WRITE );
lastLogoff: 0 (never);
lastLogon: 8/14/2019 6:17:50 PM Coordinated Universal Time;
lastLogonTimestamp: 8/14/2019 4:05:51 PM Coordinated Universal Time;
logonCount: 4;
mail: jsmith@example.com;
memberOf (13): OU=AADDC Users,DC=example,DC=com; CN=AAD DC Administrators,OU=AADDC Users,DC=chr,DC=cl;
msDS-AzureADMailNickname: jsmith;
msDS-AzureADObjectId: <ldp: Binary blob 16 bytes>;
name: John Smith;
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com;
objectClass (4): top; person; organizationalPerson; user;
objectGUID: a8123123-3f4f-4123-9123-b530ff123123;
objectSid: S-1-5-21-545123123123-358123123-844123123-1123;
preferredLanguage: en-US;
primaryGroupID: 513 = ( GROUP_RID_USERS );
pwdLastSet: 8/14/2019 2:19:10 PM Coordinated Universal Time;
sAMAccountName: jsmith;
sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT );
userAccountControl: 0x200 = ( NORMAL_ACCOUNT );
userPrincipalName: jsmith@example.com;
uSNChanged: 30696;
uSNCreated: 20588;
whenChanged: 8/14/2019 4:06:06 PM Coordinated Universal Time;
whenCreated: 8/13/2019 7:21:29 PM Coordinated Universal Time;
I have yet to test Kerberos and maybe OAuth2.
EDIT:
I didn't check the packets that were being sent by the client and there was something I didn't study before.
By sending a plain text login with a tool such as NTRadPing it will authenticate correctly since it will contain the "User-Password" attribute.
In the other hand trying to login through Wi-Fi will be usually an "EAP" hashed password.
(10) Received Access-Request Id 21 from 10.0.0.50:56480 to 10.0.0.10:1812 length 217
(10) User-Name = "jsmith@example.com"
(10) NAS-Identifier = "18e829123123"
(10) Called-Station-Id = "18-E5-39-B1-E3-D1:Test"
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Calling-Station-Id = "C0-91-C0-58-BA-AC"
(10) Connect-Info = "CONNECT 0Mbps 802.11a"
(10) Acct-Session-Id = "7394227D45123123"
(10) WLAN-Pairwise-Cipher = 1123123
(10) WLAN-Group-Cipher = 1123123
(10) WLAN-AKM-Suite = 1123123
(10) Framed-MTU = 1400
(10) EAP-Message = 0x02fe001231236d617274696e657a40636872123123
(10) Message-Authenticator = 0x5fd0a8123123984b6b996f2941123123
I will continue researching.
EDIT 2:
I cannot find a viable way to do this as of now but I have found another way to make RADIUS work through NPS with AADDS.
- Create a Windows Server VM in the AADDS subnet and install the NPS role.
- Configure NPS but don't register it into the domain since it won't work because AADDS doesn't gives you the required permissions to do so.
- Configure your RADIUS client to aim to this NPS server and it will still work, the NPS server doesn't has to be registered into the domain for RADIUS to work.