Organizations from around the world are making the much needed transition to cloud-based network solutions. To ease the transition, Microsoft created Azure to aid clients moving their directories from the on-premise Active Directory (AD) to the cloud.
However, Azure is limited compared to AD when it comes to support for WPA2-Enterprise Wi-Fi. AD is an on-premise solution, and Microsoft doesn’t offer cloud PKI or Certificate Authority (CA) services.
So if you want to migrate to the cloud, you might get stuck and have to keep the AD-domain hardware. Luckily, if you use Microsoft Azure as your SAML provider, you can easily set up a WPA2-Enterprise network equipped with Cloud RADIUS using SecureW2.
Cloud RADIUS is the only RADIUS Server that comes with an industry-exclusive Dynamic Policy Engine that integrates natively with Azure and Intune, and empowers organizations with certificate-based authentication for ultra secure Wi-Fi and VPN authentication.
How To Use Azure AD for 802.1x Authentication
SecureW2 provides everything you need to easily configure your network for 802.1x authentication.
Below, we’ll outline how you can set up Azure as an SSO for Certificate Enrollment and 802.1x Onboarding, so your end users can easily self-service themselves for certificate-hardened 802.1x with their Azure credentials.
Creating a SAML Application in Azure for 802.1x Enrollment
To create a SAML application in Microsoft Azure:
- From your Microsoft Azure Portal, use the search feature to go to Enterprise applications.
- In the main panel, click New application.
In the Add an application panel, under Add from the gallery, enter ‘SecureW2‘ in the search field.
- If the SecureW2 JoinNow Connector application appears:
- Select it.
- In the Add your own application panel, click Add
- If the SecureW2 JoinNow Connector application does not appear:
- Click Non-gallery application.
- In the Add your own application panel, for Name, enter a name.
- Click Add
- If the SecureW2 JoinNow Connector application appears:
Enrolling for a EAP-TLS Certificate with Azure AD
We’ve seen some Azure customers using credential-based authentication using the EAP-TTLS/PAP protocol. We strongly recommend clients against this as it sends credentials in cleartext and puts organizations at serious risk for over-the-air credential theft.
You can get rid of the security threats that come from password authentication through the use of secure EAP-TLS certificates. They can eliminate over-the-air credential theft because certificates are nearly impossible to decrypt. They also eliminate the hassle of passwords and allow for easy migration to the cloud.
To enroll EAP-TLS certificates using SecureW2:
- Set up CA’s in SW2 Management Portal
- CA’s serve as the central authority for certificates and as the hub where admins can determine what roles and policies will apply for their network.
- Add Azure as IDP in SecureW2
- Azure can be configured as the IDP in SecureW2’s management portal.
- Go to Azure Management Portal to Configure the SAML IDP
- Once complete, the RADIUS server will be able to authenticate devices against Azure AD.
- Configure Attribute Mapping
- Admins can map attributes to certificates so they’ll have an easier time seeing who’s on the network.
- Configure network policies to be distributed
- Once devices are properly configured, they can start requesting certificates.
Azure AD RADIUS Setup
RADIUS is a standard protocol to accept authentication requests and to process those requests. If you use certificate-based Wi-Fi authentication (EAP-TLS) with Azure AD, you can set up Azure AD with any RADIUS server. While you may think that it’s not worth it to set up a PKI just for Wi-Fi, the growing risk of credential theft combined with the improvements in PKI technology have resulted in EAP-TLS becoming the industry standard form of Wi-Fi authentication.
SecureW2 provides both an easy to use Managed PKI and a Cloud RADIUS, giving organizations everything they need to set up EAP-TLS on their network. Along with our Cloud RADIUS, SecureW2 grants access to industry-first technology that allows Cloud RADIUS to talk to any IDP to dynamically update your users and policies. It’s so easy to set up, the average deployment time is often under an hour!
Using our Cloud RADIUS also significantly reduces the costs associated with an on-prem RADIUS server by requiring significantly less time and money needed for maintenance and general upkeep.
Will this mean Azure AD will be used as a Wi-Fi SSO?
Yes! SecureW2’s onboarding clients will use Azure as a Wi-Fi SSO, except the credentials won’t be used for Wi-Fi authentication. Instead, they will be used to enroll for a Wi-Fi certificate, which will then be used for authentication. This not only provides a high level of flexibility, but also stronger overall cybersecurity. Certificates work with any RADIUS server and AP, and prevents your Azure AD credentials from being stolen over the air.
Does Azure AD Support LDAP?
Azure AD is the “Connector” that connects your on-premise Active Directory (which uses LDAP) with Azure. It allows you to continue to support LDAP authentication with your existing applications (such as Wi-Fi and VPN) because you don’t have to get rid of your Active Directory.
However this solution is really cost-ineffective, as it creates duplicate directories both of which you have to pay for. With SecureW2, you get all the benefits of the LDAP protocol (real-time policy enforcement, support for Wi-Fi and VPN authentication) but you only need an Azure directory, and can get rid of your on-premise servers.
Can I Use My Existing PEAP-MSCHAPv2?
SecureW2 is able to set up a RADIUS server that can service both PEAP-MSCHAPv2 and EAP-TLS protocols while simultaneously ensuring that devices are properly configured for either protocol with the MultiOS Device Onboarding platform.
The most common setup we see among organizations supporting both protocols is to keep one Secure SSID and configuring the RADIUS server to support both protocols. A properly configured RADIUS server will respond to a PEAP-MSCHAPv2 or EAP-TLS request in the appropriate manner, allowing devices using different protocols to seamlessly connect to one SSID.
Can I use Azure AD MFA with 802.1x?
Yes, when you use Azure AD credentials to enroll for certificates for 802.1x authentication, you can configure any form of Multi-Factor Authentication (MFA) to be used during the 802.1x certificate enrollment phase.
SecureW2 Can Make Azure Integration Easy
With SecureW2 you can have your secure network set up in a matter of hours and have a support team ready to assist you with any of your questions. We have affordable solutions for organizations of all sizes, check out our pricing here to see if we can be of service.