RADIUS and Azure AD

Raffael Luthiger 26

Is it somehow possible to have RADIUS capabilities with Azure AD? Or do I have to install my own RADIUS server which is then sending LDAP requests to Azure AD? Or what other options do I have when I want to authenticate on switches and access points with Azure AD?

Accepted answer

AmanpreetSingh-MSFT 56,506 Reputation points

2020-01-13T15:14:31.447+00:00

@Raffael Luthiger You can use NPS Extension to use RADIUS capabilities with Azure AD. Azure AD doesn't understand LDAP and works with REST (REpresentational State Transfer). REST is web standards based architecture and uses HTTP Protocol. NPS Extension converts RADIUS calls to REST calls to allow it to work with Azure AD.

-----------------------------------------------------------------------------------------------------------

Please "accept as answer" wherever the information provided helps you to help others in the community.
Please sign in to rate this answer.

1 person found this answer helpful.
Raffael Luthiger 26 Reputation points

2020-01-15T19:03:36.467+00:00

@AmanpreetSingh-MSFT But this would then mean that I need to install an Azure MFA Server as well? Then this this would apply as well:

New customers may no longer purchase Azure Multi-Factor Authentication as a standalone offering effective September 1st, 2018. Multi-factor authentication will continue to be an available feature in Azure AD Premium licenses.

Is my assumption correct?

Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee

2020-03-27T02:17:56.323+00:00

The NPS extension has no dependency with Azure MFA Server, it talks directly to Azure AD. See the following documentation: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension.
Note that if you are using Radius for your VPN servers, some vendors (Citrix, Cisco...) also support a direct integration with Azure AD (the VPN platform will then be an Enterprise Application in Azure AD controlled like other apps through Conditional Access Policies).

Raffael Luthiger 26 Reputation points

2020-03-27T09:56:34.657+00:00

Thank you @Pierre Audonnet - MSFT This document was the missing link!

Herwin West 1 Reputation point

2020-06-23T09:44:42.113+00:00

This does imply that it would be possible to make those REST calls from any RADIUS server without having to use a NPS install. But the only authentication method I can find is based on OAuth2, which does require a plaintext password to work (https://github.com/jimdigriz/freeradius-oauth2-perl does implement this for FreeRADIUS). Using PEAP/MSCHAPv2 is pretty much the default for password authentication, but this cannot work with OAuth2. Is there any REST API call that can be used to verify a MSCHAPv2 hash?
Sign in to comment

5 additional answers

AmanpreetSingh-MSFT 56,506 Reputation points

2020-05-08T08:21:54.473+00:00

@Muhammed Suhail NPS cannot do Primary Auth with AAD, it has to be on-prem AD. Only second factor authentication can be done with AAD. The reason is NPS extension converts RADIUS calls to REST calls that AAD understands. NPS extension comes into picture after Primary Auth is done by NPS server and NPS server cannot convert RADIUS calls to REST calls.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Anuj Rana 211 Reputation points

2020-05-08T16:54:12.73+00:00

If there is no Active Directory and you want to use NPS extension to perform MFA, you can setup Azure AD Domain Service instance. Join your NPS ext server to Azure AD domain services domain and your users should be able to use their Azure AD credentials for Primary Authentication. Let me know if this helps or any questions around it.
Please sign in to rate this answer.

1 person found this answer helpful.
AmanpreetSingh-MSFT 56,506 Reputation points

2020-05-09T06:15:17.867+00:00

@Muhammed Suhail and @Anuj Rana Registering NPS Server is not yet supported with Azure ADDS. There is an active feedback regarding this which is still under review. Please refer to below link:

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/34781713-support-nps-radius-for-azure-ad-domain-services

So, as of now you need to use On-prem AD for NPS primary auth .

Anuj Rana 211 Reputation points

2020-05-09T19:30:53.423+00:00

Registering of NPS is not required in AD or AADDS to perform Primary authentication. The purpose of registering NPS is to allow permission to read the dial-in properties of user accounts and adds it to RAS and IAS Servers group in Active Directory. You can set 'Ignore user dial-in properties' into network policy and it will work without any issues. I have tested and got this working for many customers but it is yet to be documented due to the lack to registration capability.

Rami Sohail 1 Reputation point

2021-08-19T07:59:58.453+00:00

So let's Say i need to do integration for Merak wireless access points and only have azure AD Domain Services and azure AD in azure, will it work if i deploy the radius server without registering , what exact features will me missing with the ignore user dial-in properties.
Sign in to comment
Warren Dilley 1 Reputation point

2020-03-27T00:07:55.213+00:00

Is it possible to run FreeRadius as a container in Azure and have it authenticate against Azure AD and/or AADDS?
Please sign in to rate this answer.
Raffael Luthiger 26 Reputation points

2020-03-27T00:22:43.32+00:00

FreeRadius speaks LDAP with Active Directory. Azure AD is Oauth based. So FreeRadius is not able to talk with Azure AD. Maybe it could work with AADDS but then why should I have two components (FreeRadius and AADDS) when I can have the same with only one.
Sign in to comment
Muhammed Suhail 1 Reputation point

2020-05-04T15:32:44.87+00:00

@AmanpreetSingh-MSFT @Pierre Audonnet - MSFT , What if there is no on-premises Active Directory to perform the primary authentication for the RADIUS ?
Can NPS do primary authentication with AAD ?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

RADIUS and Azure AD

5 additional answers