question

RaffaelLuthiger-2394 avatar image
0 Votes"
RaffaelLuthiger-2394 asked ramisohail commented

RADIUS and Azure AD

Is it somehow possible to have RADIUS capabilities with Azure AD? Or do I have to install my own RADIUS server which is then sending LDAP requests to Azure AD? Or what other options do I have when I want to authenticate on switches and access points with Azure AD?

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered HerwinWest-1640 commented

@RaffaelLuthiger-2394 You can use NPS Extension to use RADIUS capabilities with Azure AD. Azure AD doesn't understand LDAP and works with REST (REpresentational State Transfer). REST is web standards based architecture and uses HTTP Protocol. NPS Extension converts RADIUS calls to REST calls to allow it to work with Azure AD.


Please "accept as answer" wherever the information provided helps you to help others in the community.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft But this would then mean that I need to install an Azure MFA Server as well? Then this this would apply as well:

New customers may no longer purchase Azure Multi-Factor Authentication as a standalone offering effective September 1st, 2018. Multi-factor authentication will continue to be an available feature in Azure AD Premium licenses.

Is my assumption correct?

0 Votes 0 ·
piaudonn avatar image piaudonn RaffaelLuthiger-2394 ·

The NPS extension has no dependency with Azure MFA Server, it talks directly to Azure AD. See the following documentation: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension.
Note that if you are using Radius for your VPN servers, some vendors (Citrix, Cisco...) also support a direct integration with Azure AD (the VPN platform will then be an Enterprise Application in Azure AD controlled like other apps through Conditional Access Policies).


2 Votes 2 ·

Thank you @piaudonn This document was the missing link!

1 Vote 1 ·

This does imply that it would be possible to make those REST calls from any RADIUS server without having to use a NPS install. But the only authentication method I can find is based on OAuth2, which does require a plaintext password to work (https://github.com/jimdigriz/freeradius-oauth2-perl does implement this for FreeRADIUS). Using PEAP/MSCHAPv2 is pretty much the default for password authentication, but this cannot work with OAuth2. Is there any REST API call that can be used to verify a MSCHAPv2 hash?

0 Votes 0 ·
WarrenDilley-6331 avatar image
0 Votes"
WarrenDilley-6331 answered RaffaelLuthiger-2394 commented

Is it possible to run FreeRadius as a container in Azure and have it authenticate against Azure AD and/or AADDS?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FreeRadius speaks LDAP with Active Directory. Azure AD is Oauth based. So FreeRadius is not able to talk with Azure AD. Maybe it could work with AADDS but then why should I have two components (FreeRadius and AADDS) when I can have the same with only one.

0 Votes 0 ·
MuhammedSuhail-2789 avatar image
0 Votes"
MuhammedSuhail-2789 answered MuhammedSuhail-2789 edited

@amanpreetsingh-msft @piaudonn, What if there is no on-premises Active Directory to perform the primary authentication for the RADIUS ?
Can NPS do primary authentication with AAD ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered

@MuhammedSuhail-2789 NPS cannot do Primary Auth with AAD, it has to be on-prem AD. Only second factor authentication can be done with AAD. The reason is NPS extension converts RADIUS calls to REST calls that AAD understands. NPS extension comes into picture after Primary Auth is done by NPS server and NPS server cannot convert RADIUS calls to REST calls.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnujRana-1707 avatar image
1 Vote"
AnujRana-1707 answered ramisohail commented

If there is no Active Directory and you want to use NPS extension to perform MFA, you can setup Azure AD Domain Service instance. Join your NPS ext server to Azure AD domain services domain and your users should be able to use their Azure AD credentials for Primary Authentication. Let me know if this helps or any questions around it.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MuhammedSuhail-2789 and @AnujRana-1707 Registering NPS Server is not yet supported with Azure ADDS. There is an active feedback regarding this which is still under review. Please refer to below link:

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/34781713-support-nps-radius-for-azure-ad-domain-services

So, as of now you need to use On-prem AD for NPS primary auth .

0 Votes 0 ·

Registering of NPS is not required in AD or AADDS to perform Primary authentication. The purpose of registering NPS is to allow permission to read the dial-in properties of user accounts and adds it to RAS and IAS Servers group in Active Directory. You can set 'Ignore user dial-in properties' into network policy and it will work without any issues. I have tested and got this working for many customers but it is yet to be documented due to the lack to registration capability.

3 Votes 3 ·

So let's Say i need to do integration for Merak wireless access points and only have azure AD Domain Services and azure AD in azure, will it work if i deploy the radius server without registering , what exact features will me missing with the ignore user dial-in properties.

0 Votes 0 ·
AdamCalline-3834 avatar image
0 Votes"
AdamCalline-3834 answered

I also advise you to consider the security analogy with using the radius protocol which in turn makes it possible to send one-time passwords via the radius service itself as the main protection. It is also worth considering that radius 2 factor authentication works on the basis of temporary protection parameters which ensures the uniqueness of this approach. Therefore, you don't need to worry about the server issue with Protocol security requests.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.