FreeRADIUS authentication through Azure Active Directory

Question

I have just configured FreeRadius, but I would like to authenticate users which are in an Azure AD. I know it's possible to link FreeRADIUS with an Active Directory, but I can't find anything about Azure AD.
Does anyone knows if it's possible? A possible solution could be to create an AD locally synchronized with the Azure AD, but I would like to do it directly.

Answer 1

I did it with a little difficulty. John Robert Mendoza is correct but there are a few gotchas. Here are my steps:

1. Add AADDS and LDAP to AAD https://learn.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap. (Secure ports as you are now open to a brute force attack.)
2. Create a linux vm (I used Ubuntu) to host Freeradius in the same vnet as your AADDS
3. Install freeradius 3.x with ldap
   sudo apt install freeradius
   sudo apt install freeradius-ldap
4. Configure freeradius (I will just outline the ldap to AAD configuration)
   i. edit /etc/freeradius/3.0/mods-available/ldap

These are the values I changed

    ldap {
        server = 'yourAADDSdomain.onmicrosoft.com'
        #the identity user should be a member of you AADDS admin group
        identity = '[email protected]' 
        password = 'yourpassword'
        basedn = 'OU=AADDC Users,dc=yourAADDSdomain,dc=onmicrosoft,dc=com'
        user {
           filter = “(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})”
        }
    }

ii. edit /etc/freeradius/3.0/sites-available/default

server default {
    listen {
        type = auth
        ipaddr = *
        port = 0
        limit {
              max_connections = 16
              lifetime = 0
              idle_timeout = 30
        }
    }
    listen {
        ipaddr = *
        port = 0
        type = acct
        limit {
        }
    }
    authorize {
         if (!control:Auth-Type) {
              ldap
              if (ok && User-Password) {
                      update {
                      control:Auth-Type := LDAP
                      }
              }
        }
        expiration
        logintime
    }
    authenticate {
        Auth-Type LDAP {
               ldap
        }
    }
    preacct {
        preprocess
        acct_unique
    }
    accounting {
        detail
        unix
        radutmp
        exec
        attr_filter.accounting_response
    }
    session {
        radutmp
    }
    post-auth {
        exec
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
    } 
    pre-proxy {
    }
    post-proxy {
        eap
    }
}

Some other points:
Use radtest to test this out
use ldp.exe from a windows machine to connect to your ldap to check out what it is returning

links:
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap
https://wiki.freeradius.org/guide/Getting-Started
https://medium.com/@georgijsr/freeradius-2-1-12-ubuntu-14-04-server-with-ldap-authentication-and-ldap-fail-over-6611624ff2c9
Freeradius + Openldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
http://freeradius.1045715.n5.nabble.com/guide-on-configuring-freeradius-3-LDAP-td5748776.html

Answer 2

You'll have to enable secure LDAP for your managed domain in Azure AD Domain Services [1] and then configure rlm_ldap in FreeRadius [2] to use Azure AD as LDAP authentication source. You would want to restrict connections to your Azure AD IP address using access controls to block unauthorized clients from sending unsolicited LDAP search queries to your domain service and extracting sensitive user information.

References:

[1] https://learn.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap

[2] https://wiki.freeradius.org/protocol/LDAP