Microsoft’s Network Policy Server (NPS) is a AAA RADIUS server used for a number of different types of network connections. It can be used for wireless authentication, VPN connections, dial-up, and more.
But as organizations continue to move to cloud-based operations, NPS has become a less favored solution. NPS and Active Directory (AD) do not come inherently with a cloud solution, so c hoosing the right add-on solution to enable cloud-based authentication is key. Today, many organizations struggle to move their infrastructure to the cloud, and the Microsoft networking suite is no exception.
Authentication with Microsoft NPS
NPS has been a staple for institutions using Active Directory for 802.1x. It is commonly accomplished using EAP methods, such as PEAP-MSCHAPv2 or EAP-TLS, because these methods use a server certificate.
Users can be easily tricked into sending authentication information to the wrong RADIUS if they fall victim to an attack known as Man-in-the-Middle. If their RADIUS employs server certificate validation, the user’s device will check for the RADIUS server certificate and validate that this is the correct server to authenticate to. Using password-only authentication and not checking for the server certificate can easily lead to unauthorized entry by an outside actor who has farmed network credentials.
Unfortunately, server certificates are not a bulletproof security method. Devices can authenticate against the NPS RADIUS Server even if their devices aren’t set up for server certificate validation. Neither the user nor network administration will know their network is at serious risk for a Man-in-the-Middle attack. This is why Onboarding Software is so important, it ensures every device is properly configured for server certificate validation, so they won’t send credentials to an impostor network.
Additionally, many organizations will deploy their own Certificate Authority (CA) to work with AD CS. By combining a trusted CA with AD CS, they can distribute server certificates as well as device and user certificates that are inherently trusted by the network and cannot be replicated or stolen by outside actors. However, this does not ensure devices are properly configured for server certificate validation, only that they know what the server certificate is.
Lastly, an organization will want to configure network clients to use 802.1x authentication with Group Policy. They can customize user attributes and set network permissions that determine a user’s role in the organization and what resources they have access to. This can be as specific or general as needed to fit the needs of the organization but should always be more complex than one universal group policy.
Hosting Microsoft NPS in the Cloud
As stated above, NPS and AD were not designed for cloud-based network authentication. It’s traditionally an on-premise RADIUS solution, and using it to manage cloud-based resources will require many additional network add-ons and a significant amount of time and resources from IT. We’ve seen this as a significant issue organizations face when they want to move their Active Directory to the cloud and use Azure while still supporting 802.1x.
In order to host NPS in the cloud, you need to combine Windows NPS as a RADIUS proxy with a cloud-based RADIUS solution. A user would send their authentication request to the cloud RADIUS, and in turn, it would be forwarded to NPS for final authentication.
This process requires specific configuration of RADIUS policies to match NPS. Settings such as the EAP method, what Event Logs to record, the network adapters that authentication requests would traffic, and more. Once configured, users would send their authentication requests to the cloud-based RADIUS and it would be authenticated securely with Microsoft NPS.
You also have the option of using an Azure Marketplace app that sets up NPS in the cloud for a small service fee per computing hour. However, this set up still runs into the compatibility issue with your Azure directory, so it’s not feasible for 802.1x.
A Cloud RADIUS Solution
Luckily, there is a simple solution to moving your networking infrastructure to the cloud, and that’s us! SecureW2’s Cloud RADIUS is designed to seamlessly integrate with any network infrastructure. Not only do you get the world’s most secure Cloud RADIUS server, but you also get easy-to-use certificate and onboarding services that can easily enable AD CS and provision server and client certificates for authentication.
SecureW2 provides all the necessary tools to deploy a certificate-based network, including a turnkey PKI solution and JoinNow onboarding software. Without an onboarding solution, allowing users to manually configure certificates will undoubtedly lead to numerous support ticket requests due to the complex configuration process associated with certificates.
JoinNow allows users to self-configure their devices for certificates in minutes. The process involves only a few clicks, and once completed, the user is equipped with a certificate and can be immediately authenticated. Our certificate solution makes working with AD CS a breeze.
Using Microsoft NPS in the cloud for 802.x authentication requires the right tools to make the job easy. Too many add-ons simply drives up the costs of operating the network and creates more work for IT admins. SecureW2’s Cloud RADIUS is a vendor-neutral solution that can authenticate any network device and ensure your network is secure. Check out our pricing page to see if our cost-efficient solutions can fit your organization.
