Passwordless Azure AD Wi-Fi Security Architecture

Extend your Azure policy to passwordless network security by leveraging digital certificates. Deploying digital certificates, a PKI, and device and user trust lays the foundation for a Zero Trust architecture.

Display Widget Preview

We’ve Helped Many Businesses Like Yours

Gallery Image
Gallery Image
Gallery Image
Gallery Image
Gallery Image
Gallery Image
Gallery Image
Display Widget Preview

Use Information from Azure AD (Entra ID) to Extend the Security of Certificates to Your Network

A digital certificate delivers so much more identity context to each connection and can be used for various purposes. In one convenient centralized location, our managed Azure cloud PKI solution allows you to create certificates for:

Cloud-Native RADIUS Service Designed for Entra ID

Global Cloud RADIUS eliminates complex on-prem infrastructure and works natively with cloud identities. Enable the gold standard in passwordless 802.1X security via EAP-TLS. Support for all major Wi-Fi, Wired & VPN infrastructure vendors.

  • Native integration with Azure AD for enhanced control access control.
  • 100% passwordless, no reliance on LDAP or Active Directory credentials.
  • Servers located Globally, with industry-best 99.999% SLA available.
  • Factor both user and device context for granular zero trust security.
  • Passpoint and OpenRoaming enabled.
  • Close PKI Integration with certificate auto-revocation
Display Widget Preview

For Wi-Fi and VPN connections, Microsoft recommends moving from MSCHAPv2-based (password) connections to certificate-based authentication such as EAP-TLS.

Gallery Image
Display Widget Preview

World-Class PKI with Robust Integrations and Automation

PKIs don’t need to be complicated to set up or difficult to manage. Deploy PKI easily to serve as the backbone to passwordless security and zero-trust initiatives.

  • Strongly authenticate devices, networks, and apps while protecting your Azure, Okta & Google identities from compromise.
  • Intuitive single-pane management with granular control of certificate lifecycles.
  • Deliver both user (roles, groups) and device (ownership, type) context to every connection.
  • Simple and secure, backed by HSM (Hardware Security Module)
  • Extensible usage of PKI for authentication, signing and protecting of communications.

Our plan was to fully migrate to Azure AD so we wanted to retire our on-prem RADIUS and PKI servers. The native support with Azure AD without having to stand up another cloud directory was a win for us in the server/networking group. Going fully passwordless in the process was a win for our security guys.

HAKEEM, NETWORK ADMINISTRATOR

Read Deployment Stories

Seamless Integration with all Wi-Fi Vendors

ArubaExtreme NetworksCisco WLCCisco MerakiCambium NetworksAerohiveUbiquiti

Highly-Renowned Enrollment and Configuration Mechanisms

A major barrier to passwordless authentication is ensuring every device gets, and updates, its certificates with ease. Our JoinNow Managed Device Gateways and MultiOS Self-service software provide painless certificate enrollment and renewals.

  • Extensive auto-enrollment APIs including SCEP, JSON, WSTEP, EST, and more.
  • Self-provision certificates and device configuration (Wi-Fi/VPN/etc) in just a few clicks.
  • Supports iOS, Windows, macOS, Android, ChromeOS, Linux, and Kindle.
  • Self-Enroll and configure Security Keys, such as YubiKeys. Ship and deploy keys for desktop login with single sign-on access to Azure AD.
Display Widget Preview

How to Set Up Passwordless Wi-Fi

Managed Device Setup

Enable Zero-touch certificate distribution and renewals. Leverage all your existing MDM/EMM platforms via APIs and Gateways to provision and manage certificates.

Step 1: Configure your MDM platform with our PKI services to send out configuration profiles directing managed devices to auto-enroll for a certificate and sel-service for 802.1X.

Step 2: Cloud RADIUS will authenticate the device for Wi-Fi access by directly communicating with your Azure AD.

Display Widget Preview
  • Windows
  • Windows

Unmanaged/BYOD Device Setup

Getting certificates and device configurations such as Wi-Fi onto user devices isn’t easy, self-service software makes it simple. With JoinNow MultiOS, you can empower users to self-configure their devices for certificate-based authentication in just three easy steps:

Step 1: Configure JoinNow MultiOS, a dissolvable onboarding client that directs unmanaged devices to enroll for a certificate and enable 802.1X settings.

Step 2: Configure a custom landing page that detects the device’s OS and organization to determine the right certificate to provision.

Step 3: Cloud RADIUS will authenticate the device for Wi-Fi access by directly communicating with your Azure AD.

Passwordless Azure AD Wi-Fi FAQs

What Role Do Certificates Play in Azure AD Wi-Fi Authentication?

Certificates are issued to users after they successfully prove their identity with their valid Azure credentials. Being acclaimed as the most phishing-resistant authentication methods, they could be used to securely access your wireless network or log in to Azure applications for upgraded application security. Digital certificates strongly establish device and user context enabling Zero Trust.

Can I Use Azure AD Authentication Credentials Directly to Power Wi-Fi Security via RADIUS?

Yes, definitely. If you already have an identity management service in place, using SecureW2’s Cloud PKI and Cloud RADIUS doesn’t require you to create separate identities. We have tight integration with Azure Active Directory and can work hand in hand with it. Once you create/delete identities in Azure AD you can leave the rest to us. We can manage your wireless network authentication and do an additional RADIUS lookup as well.

How Do I Simplify Certificate Distribution for Passwordless Wi-Fi Authentication?

Certificate distribution to all the clients available in your entire network infrastructure could be a daunting task. If you have a Mobile Device Management solution (MDM) like Intune, Simple Certificate Enrollment Protocol (SCEP) settings can be pushed to devices that enable them to talk to a PKI autonomously, enabling a zero-touch method for certificate enrollment and renewal. SecureW2 is a an official CA partner of Intune enabling a further secured version of SCEP enrollment with an API lookup that can validate things such as Device Compliance.

For BYODs we provide a dissolvable module, JoinNow MultiOS, that enables end users to self-service their device. It automatically enrolls certificates and configures the Wi-Fi settings for devices, drastically reducing the complexity of enterprise Wi-Fi security.

Should I Be Concerned about SCEP ( Simple Certificate Enrollment Protocol) Security?

SCEP works by providing a URL and key to devices; anyone who can gain access to these enrolls for a client certificate. As user identity is not validated it is easy for anyone to impersonate and move to a higher privilege network. To alleviate this issue SecureW2 has partnered with Microsoft to be an Intune CA partner. SecureW2 validates the users using the Graph API directly and then processes any SCEP enrollment requests.

How Do You Distribute Certificates for Managed Devices vs BYOD/Unmanaged Devices?

For a managed device the client certificate and Wi-Fi policy get pushed through Managed Device Management (MDMs) solutions like Intune.

For BYODs, we have a dissolvable onboarding module JoinNow MultiOS that allows your end users to self-service themselves for certificates, and simultaneously have their device configured for 802.1x network security. It works by first asking the user to authenticate themselves with any IDP, like Azure Active Directory. Once the user has entered in their Azure credentials, MultiOS will deploy certificates to their device. It also allows you to map user attributes from Azure Active Directory, so you can create automated conditional access policies for certificate enrollment and network security.

How Do I Use Information About the User and Device to Power an Azure Active Directory Wi-Fi Service?

User and device information like UserName or Azure AD Device ID can be mapped directly into the certificate template in a PKI like SecureW2. The data that is inputted into the certificate, can then be used for creating access and authorization policies. For example, some organizations use Intune Device Compliance to determine whether a device should be put in a quarantine VLAN.

How Should I Configure Our Azure Portal for Cloud RADIUS?

Integrating Cloud RADIUS with Azure requires creating an App Registration in Azure. After that, the Tenant and Client ID needs to be shared to SecureW2, along with the client secret. Lastly, API Permissions need to be configured so that CloudRADIUS can read user and device data from Azure, so it can determine access and authorization levels with real-time data.

Why Should I Consider SecureW2's Cloud RADIUS Solution for my Azure AD Authentication?

Reusing the same Azure AD credentials for your Wi-Fi security is not recommended as these could be easily stolen or shared among people, depriving you of the knowledge of who is accessing your network. Hackers could easily use these credentials as a pivoting point for carrying out more serious damage to your network.

SecureW2’s Cloud RADIUS solution alleviates this problem efficiently with the power of digital certificates. It quickly turns your Wi-Fi network into an EAP-TLS framework, transitioning your entire network into a passwordless secure environment. We’ve worked closely with partners like Microsoft, Okta, Google, and Jamf so that our JoinNow Connector PKI’s Certificate Lifecycle Automation is an extension of your Identity, ensuring that only valid and trusted devices are on the network and segmented accordingly.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing