The migration from on-premise to cloud-based network infrastructure is becoming more and more common. With better security, scalability, and user experience, the benefits of the cloud cannot be denied.
For many Active Directory (AD) customers, this migration can cause issues due to the nature of Microsoft’s network infrastructure. Most of Microsoft infrastructure relies on an on-premise setup, particularly their NPS authentication process. Some organizations, like one SecureW2 customer, find solutions to bridge the gap between on-premise and cloud infrastructure. You can click the button below to learn more.
Others, however, find difficulty in performing cloud operations such as 802.1X authentication in the cloud. If an organization wants to transition from AD to Azure AD (Microsoft Entra ID), a cloud-based IDP, what are their options to retain their Microsoft infrastructure but still operate in the cloud?
Is 802.1X Blocked By NPS?
NPS is a highly effective RADIUS server and works well to enable 802.1X authentication with AD. But as organizations transition to include more cloud technology in their processes, issues arise when using NPS.
On its own, NPS cannot perform cloud authentication that is required to enable Azure AD with 802.1X. It is an on-premise RADIUS designed to operate with on-premise infrastructure. In order to perform cloud authentication, NPS needs additional support.
Azure AD (Microsoft Entra ID) and NPS Working Together
If someone is determined to make Azure AD work with NPS to authenticate users in the cloud, they can make it happen – it will just take some extra effort. The most common method used is to stand up NPS as a RADIUS proxy.
With NPS as a proxy, a user will send their Azure authentication information to a cloud RADIUS as the first step. The cloud RADIUS will then send that information along to NPS for final authentication. NPS will confirm or deny their request for network access, after which this answer is sent to the cloud RADIUS and then to the user.
It’s easy to see why this process isn’t the picture of efficiency. It’s not the fastest, not conducive to scale over time, and much more expensive because of the additional tech and processes. The purchasing of 3rd party infrastructure, a complex configuration process, and the high management costs certainly make this a doubtful option for most organizations.
When designing a cloud network, it’s important to consider the tools you are using to enable it. When choosing between different options, it’s important to consider the following: can this tool be configured to work in the cloud, or was it built to work in the cloud?
Azure Cloud Solutions with SecureW2
If you want to use Azure, a cloud-based IDP, your best bet is to deploy a cloud RADIUS to handle all authentication needs. SecureW2’s Dynamic Cloud RADIUS can do just that. It’s designed to integrate with any network environment, including Microsoft, and enable cloud-based authentication. The process of configuring Azure with Cloud RADIUS is simple, and the results are cloud-based efficiency.
Once configured, admins have a wide variety of customization at their fingertips. Dynamic Cloud RADIUS can easily communicate with Azure as your SAML provider and securely authenticate users on any devices. By using EAP methods such as PEAP-MSCHAPv2 to authenticate and employing processes like server certificate validation, SecureW2 guarantees only approved network users with valid credential sets can access the network.
Of course, at SecureW2, our ultimate goal is to help organizations switch from credentials to digital certificates for authentication, which can be accomplished using Azure AD. Certificates are superior to passwords in every single way: speed, security, user experience, ease of management, and more. But many who encounter problems deploying certificates simply lack an effective distribution and management strategy.
SecureW2’s certificate solutions integrate with any network infrastructure and provide all the tools you could need. Our turnkey PKI and onboarding software can rapidly provision user’s devices with certificates after executing a few clicks. It also integrates with AD CS so you can take advantage of existing certificate security. And if you want to use certificates on only part of the network, SecureW2 can enable PEAP-MSCHAPv2 and EAP-TLS authentication simultaneously.
Build a Cloud-Based Future
With more people working remotely and a future that demands greater efficiency and security, choosing cloud technologies is easy. But the important decisions really begin when designing that cloud-based network and ensuring it works in the favor of users, admins, and your budget.
Taking your existing Microsoft infrastructure with Azure AD and converting to efficient cloud authentication with Dynamic Cloud RADIUS can prepare your network for the business of the future. Check out SecureW2’s pricing page to see if our Cloud RADIUS solutions can work for you.
