How To Use Azure AD With 802.1x

Eytan Raphaely Education

How To Use Azure AD With 802.1x

Organizations from around the world are making the much needed transition to cloud-based network solutions. To ease the transition, Microsoft created Azure to aid clients moving their directories from the on-premise Active Directory (AD) to the cloud.

However, Azure is limited compared to AD when it comes to support for WPA2-Enterprise Wi-Fi. AD is an on-premise solution, and Microsoft doesn’t offer cloud PKI or Certificate Authority (CA) services.

So if you want to migrate to the cloud, you might get stuck and have to keep the AD-domain hardware. Luckily, if you use Microsoft Azure as your SAML provider, you can easily set up a WPA2-Enterprise network equipped with Cloud RADIUS using SecureW2.

Our JoinNow Connector solution fully integrates your Azure system for WPA2-Enterprise, allowing you to safely and effortlessly use certificate based security for Azure and AD devices.

How To Use Azure AD for 802.1x Authentication

SecureW2 provides everything you need to easily configure your network for 802.1x authentication.

Below, we’ll outline how you can set up Azure as an SSO for Certificate Enrollment and 802.1x Onboarding, so your end users can easily self-service themselves for certificate-hardened 802.1x with their Azure credentials.

Creating a SAML Application in Azure for 802.1x Enrollment

To create a SAML application in Microsoft Azure:

    1. From your Microsoft Azure Portal, use the search feature to go to Enterprise applications.
    2. In the main panel, click New application.

In the Add an application panel, under Add from the gallery, enter ‘SecureW2‘ in the search field.

    • If the SecureW2 JoinNow Connector application appears:
      1. Select it.
      2. In the Add your own application panel, click Add
    • If the SecureW2 JoinNow Connector application does not appear:
      1. Click Non-gallery application.
      2. In the Add your own application panel, for Name, enter a name.
      3. Click Add

Enrolling for a EAP-TLS Certificate with Azure AD

We’ve seen some Azure customers using credential-based authentication using the EAP-TTLS/PAP protocol. We strongly recommend clients against this as it sends credentials in cleartext and puts organizations at serious risk for over-the-air credential theft.

You can get rid of the security threats that come from password authentication through the use of secure EAP-TLS certificates. They can eliminate over-the-air credential theft because certificates are nearly impossible to decrypt. They also eliminate the hassle of passwords and allow for easy migration to the cloud.

To enroll EAP-TLS certificates using SecureW2:

  1. Set up CA’s in SW2 Management Portal
    • CA’s serve as the central authority for certificates and as the hub where admins can determine what roles and policies will apply for their network.
  2. Add Azure as IDP in SecureW2
    • Azure can be configured as the IDP in SecureW2’s management portal.
  3. Go to Azure Management Portal to Configure the SAML IDP
    • Once complete, the RADIUS server will be able to authenticate devices against Azure AD.
  4. Configure Attribute Mapping
    • Admins can map attributes to certificates so they’ll have an easier time seeing who’s on the network.
  5. Configure network policies to be distributed
    • Once devices are properly configured, they can start requesting certificates.

Azure AD RADIUS Setup

RADIUS is a standard protocol to accept authentication requests and to process those requests. If you use certificate-based Wi-Fi authentication (EAP-TLS) with Azure AD, you can set up Azure AD with any RADIUS server. While you may think that it’s not worth it to set up a PKI just for Wi-Fi, the growing risk of credential theft combined with the improvements in PKI technology have resulted in EAP-TLS becoming the industry standard form of Wi-Fi authentication.

SecureW2 provides both an easy to use Managed PKI and a Cloud RADIUS, giving organizations everything they need to set up EAP-TLS on their network. It’s so easy to set up, the average deployment time is often under an hour!

Using our Cloud RADIUS also significantly reduces the costs associated with an on-prem RADIUS server by requiring significantly less time and money needed for maintenance and general upkeep.

Will this mean Azure AD will be used as a Wi-Fi SSO?

Yes! SecureW2’s onboarding clients will use Azure as a Wi-Fi SSO, except the credentials won’t be used for Wi-Fi authentication. Instead, they will be used to enroll for a Wi-Fi certificate, which will then be used for authentication. This not only provides a high level of flexibility, but also stronger overall cybersecurity. Certificates work with any RADIUS server and AP, and prevents your Azure AD credentials from being stolen over the air.

Does Azure AD Support LDAP?

Organizations making the switch to Azure AD are most likely switching from Active Directory, which uses the Lightweight Directory Access Protocol (LDAP). However, Azure AD does not support the LDAP or Secure LDAP directly.

In order to use LDAP with Azure AD, you can either implement your own LDAP system (covering all costs associated with it) or leverage a directory service platform.

Can I Use My Existing PEAP-MSCHAPv2?

SecureW2 is able to set up a RADIUS server that can service both PEAP-MSCHAPv2 and EAP-TLS protocols while simultaneously ensuring that devices are properly configured for either protocol with the MultiOS Device Onboarding platform.

The most common setup we see among organizations supporting both protocols is to keep one Secure SSID and configuring the RADIUS server to support both protocols. A properly configured RADIUS server will respond to a PEAP-MSCHAPv2 or EAP-TLS request in the appropriate manner, allowing devices using different protocols to seamlessly connect to one SSID.

Can I use Azure AD MFA with 802.1x?

Yes, when you use Azure AD credentials to enroll for certificates for 802.1x authentication, you can configure any form of Multi-Factor Authentication (MFA) to be used during the 802.1x certificate enrollment phase.

SecureW2 Can Make Azure Integration Easy

With SecureW2 you can have your secure network set up in a matter of hours and have a support team ready to assist you with any of your questions. We have affordable solutions for organizations of all sizes, check out our pricing here to see if we can be of service.

 


Learn About This Author

Eytan Raphaely

Eytan Raphaely is a 25-year-old currently working in marketing, his true passion is making things that he thinks are really funny, that other people think are mildly funny. He is a recent graduate from the University of Washington where he studied digital marketing. Eytan has been honing his writing skills as an intern for a small studio, a marketing firm, an editor for Literally Media, and other places too.