问题描述
我刚刚配置了FreeRadius,但是我想对Azure AD中的用户进行身份验证.我知道可以将FreeRADIUS与Active Directory链接,但是找不到关于Azure AD的任何信息.
有谁知道这可能吗?一种可能的解决方案是创建一个与Azure AD本地同步的AD,但我想直接这样做.
I have just configured FreeRadius, but I would like to authenticate users which are in an Azure AD. I know it's possible to link FreeRADIUS with an Active Directory, but I can't find anything about Azure AD.
Does anyone knows if it's possible? A possible solution could be to create an AD locally synchronized with the Azure AD, but I would like to do it directly.
推荐答案
我这样做有点困难.约翰·罗伯特·门多萨(John Robert Mendoza)是正确的,但有一些陷阱.这是我的步骤:
I did it with a little difficulty. John Robert Mendoza is correct but there are a few gotchas. Here are my steps:
- 将AADDS和LDAP添加到AAD https://docs.microsoft.com/zh-CN/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap .(确保端口安全,因为您现在可以进行蛮力攻击.)
- 创建一个Linux虚拟机(我使用Ubuntu)在与您的AADDS相同的vnet中托管Freeradius
- 使用ldap安装freeradius 3.x
sudo apt安装freeradius
sudo apt安装freeradius-ldap - 配置freeradius(我仅将ldap概述为AAD配置)
一世.编辑/etc/freeradius/3.0/mods-available/ldap
- Add AADDS and LDAP to AADhttps://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap. (Secure ports as you are now open to a brute force attack.)
- Create a linux vm (I used Ubuntu) to host Freeradius in the same vnet as your AADDS
- Install freeradius 3.x with ldap
sudo apt install freeradius
sudo apt install freeradius-ldap - Configure freeradius (I will just outline the ldap to AAD configuration)
i. edit /etc/freeradius/3.0/mods-available/ldap
这些是我更改的值
ldap {
server = 'yourAADDSdomain.onmicrosoft.com'
#the identity user should be a member of you AADDS admin group
identity = '[email protected]'
password = 'yourpassword'
basedn = 'OU=AADDC Users,dc=yourAADDSdomain,dc=onmicrosoft,dc=com'
user {
filter = "(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})"
}
}
ii.编辑/etc/freeradius/3.0/sites-available/default
ii. edit /etc/freeradius/3.0/sites-available/default
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
if (!control:Auth-Type) {
ldap
if (ok && User-Password) {
update {
control:Auth-Type := LDAP
}
}
}
expiration
logintime
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}
其他一些要点:
使用radtest进行测试
使用Windows计算机上的ldp.exe连接到您的ldap,以检查返回的内容
Some other points:
Use radtest to test this out
use ldp.exe from a windows machine to connect to your ldap to check out what it is returning
链接:
https://docs.microsoft.com/zh-CN/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap
https://wiki.freeradius.org/guide/开始使用
https://medium.com/@georgijsr/freeradius-2-1-12-ubuntu-14-04-server-with-ldap-authentication-and-ldap-fail-over-6611624ff2c9
Freeradius + Openldap错误:没有身份验证方法找到请求的(身份验证类型):拒绝用户
http://freeradius.1045715.n5.nabble.com/guide-on-configuring-freeradius-3-LDAP-td5748776.html
这篇关于通过Azure Active Directory进行FreeRADIUS身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!