Azure AD Authentication with PEAP-MSCHAPv2
This guide covers a specific deployment using CentOS with Samba/Winbind for PEAP-MSCHAPv2 with Azure AD. For modern Azure/Entra ID integration, see Microsoft Entra ID Integration.
This tutorial provides instructions on how to make PEAP-MSCHAPv2 authentication work with IronWifi and Azure AD Domain Services.
- enable Azure AD Connector
- enable Azure AD Domain Services
- create CentOS virtual machine Make sure to choose the same resource group as in your Azure AD Domain Services, but different subnet.
- Allow ports 80 and 443 by executing these command iptables -A INPUT - p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT - p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
- create AAD domain admin user bob
Join Linux machine to Domain
Follow instructions from this page - You may need to change bob's password before executing 'kinit'
Update /etc/hosts and add machine information
Install required packages on Linux machine
Discover the AAD Domain Services managed domain. In your SSH terminal, type the following command:
sudo realm discover TESTGMAIL.ONMICROSOFT.COM
Update kerberos config file /etc/krb5.conf
- Initialize Kerberos. Try to get a valid Kerberos ticket for your active directory administrator account,
kinit bob@TESTGMAIL.ONMICROSOFT.COM
Configure SAMBA and WINBIND
- update /etc/resolv.conf, add "search ironwificentos.testgmail.onmicrosoft.com"
- update /etc/samba/smb.conf
Create service startup script and restart Samba and Winbind
- Joing the Linux machine to domain
Test authentication
Installing the web server
Install the EPEL repository
yum install epel-release -y
Import the EPEL GPG key
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Install the Lighttpd web server
yum install lighttpd -y
Open /etc/lighttpd/lighttpd.conf and disable IPv6
#server.use-ipv6 = "enable"
Start the service and create startup links
Install the PHP-FPM and FastCGI packages
yum -y install php-fpm lighttpd-fastcgi
Open /etc/php-fpm.d/www.conf
nano /etc/php-fpm.d/www.conf
... and set user and group to lighttpd:
Create the system startup links for PHP-FPM and start it:
Configuring Lighttpd to Work With PHP
To enable PHP to work with Lighttpd web server, we will need to make few configuration changes. Open your /etc/php.ini file in your favorite editor:
nano /etc/php.ini
Look for the following lines in the configuration:
Uncomment the line
;cgi.fix_pathinfo=1
to make it
cgi.fix_pathinfo=1
Save the file and exit the editor.
Now open another file /etc/lighttpd/conf.d/fastcgi.conf using your favorite editor.
nano /etc/lighttpd/conf.d/fastcgi.conf
Now look for the following lines in the file:
server.modules += ( "mod_fastcgi" )
Add the following lines just below the above line:
Save the file and exit from editor:
Now open /etc/lighttpd/modules.conf file using your favorite editor.
nano /etc/lighttpd/modules.conf
Look for the following lines in the file:
Uncomment #include "conf.d/fastcgi.conf" to make it look line include "conf.d/fastcgi.conf". Save the file and exit from editor.
Now restart PHP-FPM and Lighttpd using the following command.
Now to verify if Lighttpd is configured to use PHP-FPM, you will need to view your php information. Create a new file in your document root directory which may be /var/www/htdocs or /var/www/lighttpd according how you have configured it before.
nano /var/www/lighttpd/ntlm.php
Now add the following php code into the file.
If you have SELINUX enabled, allow lighttpd access winbind
setsebool -P httpd_mod_auth_ntlm_winbind 1
Now browse the following file through frontend using your favorite web browser. Go to the following URL.
You will see following message. This shows that you have a working Lighttpd web server with PHP-FPM.
hex decode of failed!
Return to the IronWifi console and set the Bridge URL value in your Azure Connector.
Bridge URL: http://your-IP-addr/ntlm.php