Enable 802.1X For Guest Users with Azure AD B2B and SecureW2

Business-to-Business collaboration is essential for company growth. Thousands of companies have collaborated on projects to increase company value and spread risk.

At the core of these collaborations is identity and access control management. When partnering up, companies need to ensure guest users have access to critical data and applications, but also ensure that none of that data falls into the wrong hands.

Allowing non-employees to access your company servers can be incredibly taxing for network administrators. Not all businesses are the same size and not all have the same identity infrastructures. Large organizations can set up a federation relationship with a smaller organization that can’t afford the same overhead, but that can become burdensome when you work with hundreds of smaller businesses. Luckily, Azure AD B2B offers a solution.

What is Azure AD B2B?

If two organizations run on Azure AD (Microsoft Entra ID), then they can link their Azure ADs together, shifting the setup work from network admins to Microsoft. Organizations can invite guest users from other Azure AD tenants to access resources within their Azure AD tenant.

Azure AD B2B is revolutionizing cross-organizational collaboration, but organizations still need to make sure their data is protected. Fortunately, Azure AD networks can integrate their environments with SecureW2’s CloudRADIUS and Managed PKI to enable the best security measure: certificate-based 802.1x authentication.

Enabling 802.1X with Azure AD B2B

802.1X is a secure authentication protocol, but its effectiveness greatly depends on how an organization chooses to authenticate users.

Many Azure AD environments use credential-based authentication protocols, usually having each user create a unique password to access network resources and applications. While it’s better than a shared password, credential-based authentication protocols do not stand up to the likes of certificate-based authentication protocols.

The credential-based EAP-TTLS/PAP authentication protocol sends unencrypted credentials over-the-air which can easily be intercepted by modern cyber attacks. PEAP-MSCHAPv2, another credential-based authentication protocol, suffers from a major vulnerability that can be exploited by hackers.

In modern times, organizations need to stop leaving authentication in the hands of end users. Certificate-based EAP-TLS authentication eliminates over-the-air credential theft because each network device is equipped with a digital X.509 certificate. Certificates utilize public-private key cryptography and are virtually impossible to decrypt.

Provisioning a certificate to every network device isn’t an easy task, unless you use a managed PKI. SecureW2’s Managed PKI comes with an onboarding software that allows admins to easily automate certificate distribution and configure every device for 802.1X. Our service also greatly improves upon RADIUS, which we’ll cover next.

Authenticating Users with Azure AD B2B and RADIUS Servers

RADIUS is an integral part of 802.1X and VPN, it’s the mechanism that authenticates users and authorizes them for network access. However, Azure AD doesn’t offer a native RADIUS service.

Fortunately, Azure AD environments can be configured with SecureW2’s CloudRADIUS for secure network authentication. Instead of LDAP, Azure AD uses the cloud-based SAML protocol. With SecureW2, admins can configure Azure AD as a SAML application and enroll users for 802.1X with our JoinNow onboarding software. For more information, here’s our article on setting up RADIUS authentication with Azure AD.

With SecureW2, Azure AD B2B can easily be configured to provide network authentication for both in-house employees, and guest collaborators, providing both parties with appropriate access policies. Once they have a certificate on their device, CloudRADIUS can dynamically grant network access based on their device, group, location, email domain, and much more!

Dynamic Policy Enforcement for Guest Users

SecureW2’s CloudRADIUS is powered by a Dynamic Policy Engine that provides features not available in any other cloud-based RADIUS service. It adds redundant security layers, which along with certificate-based EAP-TLS authentication, drastically increases network security by applying Zero Trust security philosophies.

Standard certificate-based 802.1X authentication checks a client’s information stored on the certificate, which is usually just name, email, MAC address, etc. Certificates are static, meaning they can’t be modified once created. If a user’s permissions change, network admins will have to manually revoke the certificate, create a new one, sign it with the CA, and securely provision it to the user. Since humans are fallible, it’s possible that a certificate might not be revoked, which creates a security risk.

Luckily, that’s not the case with Dynamic CloudRADIUS, which can directly reference a user’s entry in the directory in addition to checking their certificate. Dynamic CloudRADIUS is the only cloud-based RADIUS that can directly reference cloud identity providers like Google, Azure, and Okta while leveraging ultra-secure certificate-based authentication.

By combining Azure AD B2B and SecureW2 software, Dynamic CloudRADIUS can enforce user permissions and policies to guest users. With Azure B2B, two Azure AD tenants can connect and share information, while CloudRADIUS ensures that approved guest users are given secure access to resources. Our CloudRADIUS and PKI come at an incredibly affordable price so organizations of all sizes can utilize our services. Click here to see our pricing.