Fatal编程技术网
  • ldap/
  • RADIUS与Azure Active Directory域服务(LDAP和NPS)

RADIUS与Azure Active Directory域服务(LDAP和NPS)

ldap azure-active-directory

RADIUS与Azure Active Directory域服务(LDAP和NPS),ldap,azure-active-directory,freeradius,Ldap,Azure Active Directory,Freeradius,我在AzureAD域上部署了AADD 我已更改用户密码以生成初始同步哈希 我已经在Ubuntu18.04 LTS下创建了一个FreeRADIUS虚拟机,能够通过LDAP在ADDDS子网内与一个“AAD DC Administrators”组的用户进行连接 我已经使用RADIUS配置文件设置了一个Ubiquiti Uni-Fi UAP nanoHD WPA2企业无线网络,以通过FreeRADIUS VM进行身份验证 使用iPhone XR和Windows 10笔记本电脑测试Wi-Fi登录 要绑定的

我在AzureAD域上部署了AADD

我已更改用户密码以生成初始同步哈希

我已经在Ubuntu18.04 LTS下创建了一个FreeRADIUS虚拟机,能够通过LDAP在ADDDS子网内与一个“AAD DC Administrators”组的用户进行连接

我已经使用RADIUS配置文件设置了一个Ubiquiti Uni-Fi UAP nanoHD WPA2企业无线网络,以通过FreeRADIUS VM进行身份验证

使用iPhone XR和Windows 10笔记本电脑测试Wi-Fi登录

要绑定的初始LDAP身份验证成功

已在目录上成功匹配用户

处理用户属性时会出现警告

(2) ldap: Processing user attributes
(2) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(2) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
由于没有可用的映射“用户密码”属性,身份验证失败

(2)     [ldap] = ok
(2)     if ((ok || updated) && User-Password) {
(2)     if ((ok || updated) && User-Password)  -> FALSE
(2)     [expiration] = noop
(2)     [logintime] = noop
(2)   } # authorize = ok
(2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(2) Failed to authenticate the user
我已经研究并尝试了以下内容

“ntlm_auth”目前不可能,因为Samba限制(仅适用于Azure文件)

由于AADDS的权限限制,无法更改Active Directory设置中“dsHeuristics”的值以启用“userPassword”属性

***Call Modify...
ldap_modify_s(ld, 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=example,DC=com',[1] attrs);
Error: Modify: Insufficient Rights. <50>
Server error: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Error 0x2098 Insufficient access rights to perform the operation.
我会继续研究

编辑2:

到目前为止,我还没有找到一个可行的方法来实现这一点,但我已经找到了另一种方法,通过AADD使RADIUS通过NPS工作

  • 在AADDS子网中创建Windows Server VM并安装NPS角色
  • 配置NPS,但不要将其注册到域中,因为AADDS没有为您提供执行此操作所需的权限,因此它无法工作
  • 将RADIUS客户端配置为瞄准此NPS服务器,并且它仍将工作,RADIUS服务器不必注册到域中即可工作
Dn: CN=John Smith,OU=AADDC Users,DC=example,DC=com
accountExpires: 9223372036854775807 (never); 
badPasswordTime: 0 (never); 
badPwdCount: 0; 
cn: John Smith; 
codePage: 0; 
countryCode: 0; 
displayName: John Smith; 
distinguishedName: CN=John Smith,OU=AADDC Users,DC=example,DC=com; 
dSCorePropagationData (2): 8/13/2019 7:53:04 PM Coordinated Universal Time; 0x0 = (  ); 
instanceType: 0x4 = ( WRITE ); 
lastLogoff: 0 (never); 
lastLogon: 8/14/2019 6:17:50 PM Coordinated Universal Time; 
lastLogonTimestamp: 8/14/2019 4:05:51 PM Coordinated Universal Time; 
logonCount: 4; 
mail: jsmith@example.com; 
memberOf (13): OU=AADDC Users,DC=example,DC=com; CN=AAD DC Administrators,OU=AADDC Users,DC=chr,DC=cl; 
msDS-AzureADMailNickname: jsmith; 
msDS-AzureADObjectId: <ldp: Binary blob 16 bytes>; 
name: John Smith; 
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com; 
objectClass (4): top; person; organizationalPerson; user; 
objectGUID: a8123123-3f4f-4123-9123-b530ff123123; 
objectSid: S-1-5-21-545123123123-358123123-844123123-1123; 
preferredLanguage: en-US; 
primaryGroupID: 513 = ( GROUP_RID_USERS ); 
pwdLastSet: 8/14/2019 2:19:10 PM Coordinated Universal Time; 
sAMAccountName: jsmith; 
sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT ); 
userAccountControl: 0x200 = ( NORMAL_ACCOUNT ); 
userPrincipalName: jsmith@example.com; 
uSNChanged: 30696; 
uSNCreated: 20588; 
whenChanged: 8/14/2019 4:06:06 PM Coordinated Universal Time; 
whenCreated: 8/13/2019 7:21:29 PM Coordinated Universal Time; 

(10) Received Access-Request Id 21 from 10.0.0.50:56480 to 10.0.0.10:1812 length 217
(10)   User-Name = "jsmith@example.com"
(10)   NAS-Identifier = "18e829123123"
(10)   Called-Station-Id = "18-E5-39-B1-E3-D1:Test"
(10)   NAS-Port-Type = Wireless-802.11
(10)   Service-Type = Framed-User
(10)   Calling-Station-Id = "C0-91-C0-58-BA-AC"
(10)   Connect-Info = "CONNECT 0Mbps 802.11a"
(10)   Acct-Session-Id = "7394227D45123123"
(10)   WLAN-Pairwise-Cipher = 1123123
(10)   WLAN-Group-Cipher = 1123123
(10)   WLAN-AKM-Suite = 1123123
(10)   Framed-MTU = 1400
(10)   EAP-Message = 0x02fe001231236d617274696e657a40636872123123
(10)   Message-Authenticator = 0x5fd0a8123123984b6b996f2941123123