How To Use Azure AD With 802.1x

Organizations from around the world are making the much-needed transition to cloud-based network solutions. To ease the transition, Microsoft created Azure to aid clients in moving their directories from the on-premise Active Directory (AD) to the cloud.

However, Azure is limited compared to AD when it comes to support for WPA2-Enterprise Wi-Fi. AD is an on-premise solution, and Microsoft doesn’t offer cloud PKI or Certificate Authority (CA) services.

So if you want to migrate to the cloud, you might get stuck and have to keep the AD-domain hardware. Luckily, if you use Microsoft Azure as your SAML provider, you can easily set up a WPA2-Enterprise network equipped with Cloud RADIUS using SecureW2.

Cloud RADIUS is the only RADIUS Server that comes with an industry-exclusive Dynamic Policy Engine that integrates natively with Azure and Intune and empowers organizations with certificate-based authentication for ultra-secure Wi-Fi and VPN authentication.

How To Use Azure AD for 802.1x Authentication

SecureW2 provides everything you need to easily configure your network for 802.1x authentication.

Below, we’ll outline how you can set up Azure AD as an SSO for Certificate Enrollment and 802.1x Onboarding, so your end users can easily self-service themselves for certificate-hardened 802.1x with their Azure credentials.

1. Create a SAML Application in Azure Portal

The SAML application is a crucial connection between Azure AD and SecureW2. The SAML application allows a user to enter their credentials, which are then passed to Azure AD for verification. Azure AD verifies the user’s identity and then sends attributes to the SAML application, which then passes the attributes to SecureW2 for certificate issuance.


2. Test the SAML Application

After you created your SAML Application, you can test it in the SecureW2 Management Portal by adding users to the SAML Application. Add yourself as a test user and head over to the Network Profiles section. You are taken through the user onboarding process and if you connect to the Microsoft screen, then Azure AD and SecureW2 have been connected.


3. Mapping Azure AD Attributes

Attribute mapping lays out the attributes that are returned by Azure AD and used for granting access to users. Once Azure AD identifies a user, it sends the attributes to your SAML application, which then sends the attributes to SecureW2. SecureW2 encodes these attributes in the certificate it issues.



Enrolling for an EAP-TLS Certificate with Azure AD

We’ve seen some Azure customers using credential-based authentication using the EAP-TTLS/PAP protocol. We strongly recommend clients against this as it sends credentials in cleartext and puts organizations at serious risk for over-the-air credential theft.

You can get rid of the security threats that come from password authentication through the use of secure EAP-TLS certificates. They can eliminate over-the-air credential theft because certificates are nearly impossible to decrypt. They also eliminate the hassle of passwords and allow for easy migration to the cloud.

To enroll EAP-TLS certificates using SecureW2:

  1. Set up CA’s in SW2 Management Portal
    • CA’s serve as the central authority for certificates and as the hub where admins can determine what roles and policies will apply to their network.
  2. Add Azure as IDP in SecureW2
    • Azure can be configured as the IDP in SecureW2’s management portal.
  3. Go to Azure Management Portal to Configure the SAML IDP
    • Once complete, the RADIUS server will be able to authenticate devices against Azure AD.
  4. Configure Attribute Mapping
    • Admins can map attributes to certificates so they’ll have an easier time seeing who’s on the network.
  5. Configure network policies to be distributed
    • Once devices are properly configured, they can start requesting certificates.

Azure AD RADIUS Setup

RADIUS is a standard protocol to accept authentication requests and to process those requests. If you use certificate-based Wi-Fi authentication (EAP-TLS) with Azure AD, you can set up Azure AD with any RADIUS server. While you may think that it’s not worth it to set up a PKI just for Wi-Fi, the growing risk of credential theft combined with the improvements in PKI technology have resulted in EAP-TLS becoming the industry standard form of Wi-Fi authentication.

SecureW2 provides both an easy-to-use Managed PKI and a Cloud RADIUS, giving organizations everything they need to set up EAP-TLS on their network. Along with our Cloud RADIUS, SecureW2 grants access to industry-first technology that allows Cloud RADIUS to talk to any IDP to dynamically update your users and policies. It’s so easy to set up, the average deployment time is often under an hour!

Using our Cloud RADIUS also significantly reduces the costs associated with an on-prem RADIUS server by requiring significantly less time and money needed for maintenance and general upkeep.

Will this mean Azure AD will be used as a Wi-Fi SSO?

Yes! SecureW2’s onboarding clients will use Azure as a Wi-Fi SSO, except the credentials won’t be used for Wi-Fi authentication. Instead, they will be used to enroll for a Wi-Fi certificate, which will then be used for authentication. This not only provides a high level of flexibility but also stronger overall cybersecurity. Certificates work with any RADIUS server and AP, and prevents your Azure AD credentials from being stolen over the air.

Does Azure AD Support LDAP?

Azure AD is the “Connector” that connects your on-premise Active Directory (which uses LDAP) with Azure. It allows you to continue to support LDAP authentication with your existing applications (such as Wi-Fi and VPN) because you don’t have to get rid of your Active Directory.

However, this solution is really cost-ineffective, as it creates duplicate directories both of which you have to pay for. With SecureW2, you get all the benefits of the LDAP protocol (real-time policy enforcement, support for Wi-Fi and VPN authentication) but you only need Azure AD and can get rid of your on-premise servers.

Can I Use My Existing PEAP-MSCHAPv2?

SecureW2 is able to set up a RADIUS server that can service both PEAP-MSCHAPv2 and EAP-TLS protocols while simultaneously ensuring that devices are properly configured for either protocol with the MultiOS Device Onboarding platform.

The most common setup we see among organizations supporting both protocols is to keep one Secure SSID and configure the RADIUS server to support both protocols. A properly configured RADIUS server will respond to a PEAP-MSCHAPv2 or EAP-TLS request in the appropriate manner, allowing devices using different protocols to seamlessly connect to one SSID.

Can I use Azure AD MFA with 802.1x?

Yes, when you use Azure AD credentials to enroll for certificates for 802.1x authentication, you can configure any form of Multi-Factor Authentication (MFA) to be used during the 802.1x certificate enrollment phase.

SecureW2 Can Make Azure Integration Easy

With SecureW2 you can have your secure network set up in a matter of hours and have a support team ready to assist you with any of your questions. We have affordable solutions for organizations of all sizes, check out our pricing here to see if we can be of service.

Key Takeaways:
  • Cloud RADIUS is the only RADIUS Server that comes with an industry-exclusive Dynamic Policy Engine that integrates natively with Azure and Intune.
  • SecureW2 provides everything you need to easily configure your network for 802.1x authentication.
  • You can get rid of the security threats that come from password authentication through the use of secure EAP-TLS certificates.
Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Eytan Raphaely

How To Use Azure AD With 802.1x