Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Passwordless Azure AD Wi-Fi Security Architecture

Leverage your existing Azure (Entra ID) policies for network security. The SecureW2 platform provides everything you need to deploy certificate-based 802.1x network authentication, tied directly to your identity infrastructure.

Passwordless Azure AD Wi-Fi Security Architecture

Trusted by 1,000+ Global Organizations

  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
Quote Left Icon
For Wi-Fi and VPN connections, Microsoft recommends moving from MSCHAPv2-based (password) connections to certificate-based authentication such as EAP-TLS.
Quote Left Icon
Our plan was to fully migrate to Azure AD so we wanted to retire our on-prem RADIUS and PKI servers. The native support with Azure AD without having to stand up another cloud directory was a win for us in the server/networking group. Going fully passwordless in the process was a win for our security guys.
HAKEEM, NETWORK ADMINISTRATOR

Seamless Integration with all Wi-Fi Vendors

How to Set Up Passwordless Wi-Fi

Passwordless Azure AD Wi-Fi FAQs

What Role Do Certificates Play in Azure AD Wi-Fi Authentication?

Certificates are issued to users after they successfully prove their identity with their valid Azure credentials. Being acclaimed as the most phishing-resistant authentication methods, they could be used to securely access your wireless network or log in to Azure applications for upgraded application security. Digital certificates strongly establish device and user context enabling Zero Trust.

Can I Use Azure AD Authentication Credentials Directly to Power Wi-Fi Security via RADIUS?

Yes, definitely. If you already have an identity management service in place, using SecureW2’s Cloud PKI and Cloud RADIUS doesn’t require you to create separate identities. We have tight integration with Azure Active Directory and can work hand in hand with it. Once you create/delete identities in Azure AD you can leave the rest to us. We can manage your wireless network authentication and do an additional RADIUS lookup as well.

How Do I Simplify Certificate Distribution for Passwordless Wi-Fi Authentication?

Certificate distribution to all the clients available in your entire network infrastructure could be a daunting task. If you have a Mobile Device Management solution (MDM) like Intune, Simple Certificate Enrollment Protocol (SCEP) settings can be pushed to devices that enable them to talk to a PKI autonomously, enabling a zero-touch method for certificate enrollment and renewal. SecureW2 is a an official CA partner of Intune enabling a further secured version of SCEP enrollment with an API lookup that can validate things such as Device Compliance.

For BYODs we provide a dissolvable module, JoinNow MultiOS, that enables end users to self-service their device. It automatically enrolls certificates and configures the Wi-Fi settings for devices, drastically reducing the complexity of enterprise Wi-Fi security.

Should I Be Concerned about SCEP ( Simple Certificate Enrollment Protocol) Security?

SCEP works by providing a URL and key to devices; anyone who can gain access to these enrolls for a client certificate. As user identity is not validated it is easy for anyone to impersonate and move to a higher privilege network. To alleviate this issue SecureW2 has partnered with Microsoft to be an Intune CA partner. SecureW2 validates the users using the Graph API directly and then processes any SCEP enrollment requests.

How Do You Distribute Certificates for Managed Devices vs BYOD/Unmanaged Devices?

For a managed device the client certificate and Wi-Fi policy get pushed through Managed Device Management (MDMs) solutions like Intune.

For BYODs, we have a dissolvable onboarding module JoinNow MultiOS that allows your end users to self-service themselves for certificates, and simultaneously have their device configured for 802.1x network security. It works by first asking the user to authenticate themselves with any IDP, like Azure Active Directory. Once the user has entered in their Azure credentials, MultiOS will deploy certificates to their device. It also allows you to map user attributes from Azure Active Directory, so you can create automated conditional access policies for certificate enrollment and network security.

How Do I Use Information About the User and Device to Power an Azure Active Directory Wi-Fi Service?

User and device information like UserName or Azure AD Device ID can be mapped directly into the certificate template in a PKI like SecureW2. The data that is inputted into the certificate, can then be used for creating access and authorization policies. For example, some organizations use Intune Device Compliance to determine whether a device should be put in a quarantine VLAN.

How Should I Configure Our Azure Portal for Cloud RADIUS?

Integrating Cloud RADIUS with Azure requires creating an App Registration in Azure. After that, the Tenant and Client ID needs to be shared to SecureW2, along with the client secret. Lastly, API Permissions need to be configured so that CloudRADIUS can read user and device data from Azure, so it can determine access and authorization levels with real-time data.

Why Should I Consider SecureW2's Cloud RADIUS Solution for my Azure AD Authentication?

Reusing the same Azure AD credentials for your Wi-Fi security is not recommended as these could be easily stolen or shared among people, depriving you of the knowledge of who is accessing your network. Hackers could easily use these credentials as a pivoting point for carrying out more serious damage to your network.

SecureW2’s Cloud RADIUS solution alleviates this problem efficiently with the power of digital certificates. It quickly turns your Wi-Fi network into an EAP-TLS framework, transitioning your entire network into a passwordless secure environment. We’ve worked closely with partners like Microsoft, Okta, Google, and Jamf so that our JoinNow Connector PKI’s Certificate Lifecycle Automation is an extension of your Identity, ensuring that only valid and trusted devices are on the network and segmented accordingly.