Unifi AP RADIUS auth with freeradius and Azure Active Directory

Hello guys,

I’m trying to let users of an enterprise network connect to a WiFi with RADIUS authentication.

I’m using freeradius with rlm_pearl to authenticate users using their Microsoft 365 user and password using OAuth 2 and the Password Grant flow.

The only caveat I have is that I must use PAP over EAP-TTLS because I need the cleartext password on the RADIUS server in order to authenticate against Azure AD.

It seems that Unifi APs use only MS-CHAP and I can’t use EAP-TTLS/PAP.

Do you know a way, maybe not from the Controller UI, to make the APs use EAP-TTLS/PAP?

Thanks in advance,

It’s not something we have tested, might want to check in the UniFi forums.

I’ll definitely write a post on UI’s forum. Unfortunately I haven’t found anything related yet.

Thank you for your reply!

Btw this is the repo I’m using if someone’s interested: jimdigriz/freeradius-oauth2-perl: FreeRADIUS OAuth2 (OpenID Connect) using rlm_perl (github.com)

1 Like

I’ve been able to get UniFi APs to work with FreeRadius and oauth2-perl. UniFi is not the problem. The trick is that you have to either manually or via GPO/Intune set up the Windows client with the SSID to use EAP-TTLS with PAP. If you go to just try to connect to the broadcasting SSID, Windows defaults to MS-CHAP and RADIUS fails due to “NO NT-Password.” When you use PAP, You don’t get SSO or automatic sign-on, but when you go to connect and enter valid Azure AD credentials, it works!

Thank you for this question and post, otherwise I never would of tried freeradius-oauth2-perl!

Thanks for the update.

Unfortunately we also need to be able to login using iOS / macOS powered devices. Also with Azure Active Directory and Intune, we don’t always need to put the local PCs in the domain. Most of the time we connect them only to Azure AD and we use intune to manage the endpoints. All the applications and data are on Azure Virtual Desktop (> 80% of our new deployments are cloud only).

At the moment I don’t see any viable, easy and practical usage of Freeradius with PAP.
We no longer need to use Freeradius, we now use a S2S VPN to Azure where the DC resides, and the built in Network Policy Server for a secure MS-CHAPv2 authentication.

You could also open UDP port 1812 and allowing connection only from certain IP if you don’t want to configure a S2S VPN. We did so that we can print from the cloud VMs to the local printers and we don’t need to assign a public IP to the VMs.