ahaenggli/AzureAD-LDAP-wrapper

Allow athentication with single use passwords

doiiido opened this issue · 2 comments

Hi, I'm using your app as an alternative to ADDS Radius.
I set up freeradius autenticating an EAP-TTLS(PAP) Wi-Fi with the wrapper as the LDAP backend as a Proof-of-Concept and it works fine (Disabled MFA for the APP through Conditional Access).
The fact that I have the passwords going through unencrypted in my implementation is a major issue and I would need at least the ability to sign in with single use passwords or with an code from an authenticator app (Microsoft, Google, etc...) to make it a viable option.
I'm searching on the microsoft docs for a way to ask for a call, sms, popup or even the timed code instead of password to authenticate the users, so it would be a lot more secure.
Did you see any reference that may make this possible?

Best regards,
Lincoln.

Hi! If I understand your setup correct, it works like:
User auth via freeradius -> freeradius redirects credentials to the wrapper -> wrapper redirects credentials to Azure AD

To use Azure MFA, it would be necessary that:
Azure AD redirects MFA-request to the wrapper -> wrapper redirects MFA-request to freeradius -> freeradius redirects MFA-request to User

and then again

User enters MFA-token -> freeradius redirects MFA-token to the wrapper -> wrapper redirects MFA-token to Azure AD

Unfortunately I see no way to get that work. As far as I know, the MFA-token has to be entered directly on a Microsoft page and cannot be delivered subsequently via the API.

Some other ideas:

  • Could you encrypt User <> freeradius and enable MFA on freeradius, so it could do the second factor validation?
  • The wrapper (theoretically) supports LDAPS, so you could encrypt wrapper <> freeradius
  • The wrapper could be installed directly on the freeradius server, so the connection is not seen in your network

Hi, I'm using your app as an alternative to ADDS Radius. I set up freeradius autenticating an EAP-TTLS(PAP) Wi-Fi with the wrapper as the LDAP backend as a Proof-of-Concept and it works fine (Disabled MFA for the APP through Conditional Access). The fact that I have the passwords going through unencrypted in my implementation is a major issue and I would need at least the ability to sign in with single use passwords or with an code from an authenticator app (Microsoft, Google, etc...) to make it a viable option. I'm searching on the microsoft docs for a way to ask for a call, sms, popup or even the timed code instead of password to authenticate the users, so it would be a lot more secure. Did you see any reference that may make this possible?

Best regards, Lincoln.

May I ask how you set up freeradius?