How To Configure WPA2-Enterprise With Microsoft Azure AD

How To Configure WPA2-Enterprise With Microsoft Azure AD

Many organizations today are adopting cloud-based network solutions for their networks. Microsoft created Azure AD to help clients move their directories from an on-premise Active Directory (AD) server to the cloud.

However, Azure is limited compared to AD when it comes to support for WPA2-Enterprise Wi-Fi. AD is an on-premise solution, and Microsoft doesn’t offer cloud PKI or Certificate Authority (CA) services. So if you want to migrate to the cloud, you might get stuck and have to keep the AD-domain hardware.

Luckily, SecureW2 has solved this issue. If you are thinking about moving from on-premise AD to Azure AD, and need to support 802.1x authentication, we can help. Our JoinNow Connector solution fully integrates your Azure AD system for WPA2-Enterprise, allowing you to safely and effortlessly provision 802.1x certificates to devices using your Azure AD credentials.

Configuring BYOD Devices for WPA2-Enterprise and 802.1x Certificates

Organizations that want to migrate to Azure AD are left wondering how to configure their devices for WPA2-Enterprise & 802.1x. SecureW2 can integrate with Azure AD, so users can easily use their Azure AD credentials for 802.1x, just as they previously did with on-premise Active Directory. SecureW2 automates the device onboarding process for end users, eliminating the risk of user misconfiguration and MITM credential theft.

The SecureW2 solution redirects users to the Azure Single-Sign-On where their enter in credentials, and then SecureW2 enrolls their device for a certificate and configures it for 802.1x. Now, organizations no longer have to be tied up managing outdated hardware, like their on-premise Active Directory servers. Devices only need to be authenticated once and are set until the certificate expires.

Configuring Managed Devices for WPA2-Enterprise and Certificates

Configuring 802.1x with Microsoft Intune

For managed devices, many organizations with Azure use Microsoft’s MDM, Intune. SecureW2 integrates with Intune through a SCEP gateway. You can use the gateway to push policies and configuration settings onto Intune devices to enroll for 802.1x digital certificates automatically. Click here for our Intune integration guide.

Other MDMs

Azure is closely tied to Intune because they’re both Microsoft products. However, it is possible for other MDMs to be set up to deploy certificates. A common issue arises with Identity Lookup because many MDMs do not allow emails to be input into RFC on certificate templates, which prevents admins from identifying the user.

Our JoinNow suite offers a certificate enrollment Gateway APIs that can be used by any major MDM (Jamf, Airwatch, etc) to auto-enroll devices for certificates. Our industry-unique Identity Lookup integration will allow you to find specific certificates and identify devices.

Below is a detailed guide on how to integrate Azure and AD with SecureW2 to easily deploy certificates for EAP-TLS authentication and manage 802.1x network through the cloud.

Tech Overview

  1. Configure Azure as an IDP in a SAML Application
    • Integrating an Azure SAML application with SecureW2 enables users to self-configure their devices for WPA2-Enterprise, equip their device with a certificate, and be authenticated for network access for the life of the device.
  2. Add Users to the Azure SAML Application and/or Integrate Active Directory
    • After integrating the Azure IDP with SecureW2, the network can easily and rapidly determine if a person requesting authentication is an approved network user. The list can be regularly updated and certificates can be revoked using a CRL to guarantee that only approved users are able to access the secure network.
  3. Configure Attribute Mapping and Policies in SecureW2
    • With SecureW2, you can encode user attributes to certificates to provide Identity Context and easily assign VLANs. This is especially useful when segmenting user groups or determining use policies.

Ready to set it up? Here’s what you need to get started:

  • An active SecureW2 account
  • An active Cloud Connector subscription
  • An active Azure account

 

Configuring a SAML Azure Application for WPA2-Enterprise

Create a SAML Application in Azure

To create a SAML application in Microsoft Azure:

  1. From your Microsoft Azure Portal, use the search feature to go to Enterprise applications.
  2. In the main pane, click New application.
  3. In the Add an application pane, under Add from the gallery, enter ‘SecureW2‘ in the search field.
    • If the SecureW2 JoinNow Connector application appears:
      1. Select it.
      2. In the Add your own application pane, click Add.
    • If the SecureW2 JoinNow Connector application does not appear:
      1. Click Non-gallery application.
      2. In the Add your own application pane, for Name, enter a name.
      3. Click Add.

Create an Identity Provider in SecureW2

An identity provider (IDP) is the system that proves the identity of a user/device.

Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to your Azure user database, verify user credentials, and issue certificates.

To create an IDP in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. For Name, enter a name.
  4. For Description, enter a description.
  5. Click the Type dropdown and select SAML.
  6. Click the Saml Vendor dropdown and select Azure.
  7. Click Save.

Now, SecureW2 Cloud Connector knows how to exchange information with your Azure user database.

Configure Single-Sign-On in Azure

To configure single sign on in Microsoft Azure:

  1. From your Microsoft Azure Portal, click Configure single sign-on (required).
  2. Click the Single Sign-on Mode dropdown and select SAML-based Sign-on.
  3. In a new browser tab/window, log into your SecureW2 Management Portal and go to Identity Management > Identity Providers.
  4. Click Edit for the IDP you created in the previous section.
  5. Select the Configuration tab.
  6. Copy and paste as follows:
    • From SecureW2, copy the information for EntityId and ACS URL, and
    • Paste respectively into Azure for Identifier and Reply URL.
  7. In the SAML Signing Certificate section, in the DOWNLOAD column, click Metadata XML. Save the metadata file (.xml) to your computer.
  8. Click Save.

Configure the IDP with Azure Metadata

To upload the Azure metadata to SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  3. Select the Configuration tab.
  4. Under Identity Provider (IDP) Info, for Metadata, click Choose File.
  5. In the window that appears, select the metadata file (.xml) you saved to your computer in the previous section.
  6. Click Upload.
  7. Click Update.

Integrating Active Directory with the Azure SAML Application

After you’ve configured your SAML Application in Azure and SecureW2, it’s time to assign users to it. You can do this by directly assigning users, if you have them stored in Azure, or you can integrate it with your Active Directory. Below we will show you how to do both.

Add Users to the SAML Application

  1. From your Microsoft Azure Portal, go to the JoinNow Connector Application, or the SAML application you created in the section “Create a SAML Application in Azure”.
  2. Go to Manage > Users and groups.
  3. Click Add User.
  4. In the Users and groups pane, use the Select field to search for the user by name or email.
  5. Select the user, and then click Select.
  6. In the Add Assignment pane, click Assign.

Grant SAML Application Access to Active Directory

To allow your SAML application to access Active Directory:

  1. From your Microsoft Azure Portal, use the search feature to go to App registrations.
  2. Next to the search field, click the dropdown and select All apps. This displays a list of all available applications.
  3. Click your application.
  4. In the pane that appears for your application, click Settings.
  5. In the Settings pane, click Required permissions.
  6. In the Required permissions pane, click Add.
  7. In the Add API access pane, click 1 Select an API.
  8. In the Select an API pane, select Windows Azure Active Directory.
  9. Click Select.
  10. In the Add API access pane, click 2 Select permissions.
  11. In the Enable Access pane, select:
    • Read directory data
    • Read all groups
    • Read all users’ full profiles
  12. Click Select.
  13. In the Add API access pane, click Done.
  14. In the pane for your application, click Settings.
  15. Click Manifest > Edit.
  16. In the Edit manifest pane, in the source code:
    • For the ‘groupMembershipClaims‘ variable, change the value to ‘All‘.
  17. Click Save.

 

Configure Attribute Mapping and Policies for 802.1x Certificates

One of the great things about Certificates is that they can be encoded with attributes. This provides Identity Context, putting a name to every network connection, and makes it easy to create VLAN policies for your users. Below we will show you how to send your user attributes to SecureW2 so it can encode the certificates with it, and we will conclude the document by configuring some policies in our Management Portal.

Configure Attribute Mapping in SecureW2

To configure attribute mapping in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  3. Select the Attribute Mapping tab.
  4. Click Add.
  5. For Local Attribute, enter ‘upn‘.
  6. Click the Remote Attribute dropdown and select USER_DEFINED.
  7. In the field that appears, enter ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name‘.
  8. Click Next.
  9. Click Add.
  10. For Local Attribute, enter ‘email‘.
  11. Click the Remote Attribute dropdown and select USER_DEFINED.
  12. In the field that appears, enter ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress‘.
  13. Click Next.
  14. Click Add.
  15. For Local Attribute, enter ‘displayName‘.
  16. Click the Remote Attribute dropdown and select USER_DEFINED.
  17. In the field that appears, enter ‘http://schemas.microsoft.com/identity/claims/displayname‘.
  18. Click Next.
  19. Select the Basic tab.
  20. For Group Map Attribute, enter ‘http://schemas.microsoft.com/ws/2008/06/identity/claims/groups‘.
  21. Select the Groups tab.
  22. Click Add.
  23. For Local Group, enter a name.
  24. In a new browser tab/window, log into your Microsoft Azure Portal and go to Azure Active Directory > Groups > All groups.
  25. Use the Name field to search for the group.
  26. Click the group, and then go to Properties.
  27. For Object ID, copy the value.
  28. Return to your SecureW2 Management Portal.
  29. For Remote Group, paste the Object ID value.
  30. Click Create.
  31. Click Update.

Update the Profile Policy in SecureW2

To update the profile policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > Profile.
  2. Click Edit for the profile policy.
  3. Select the Settings tab.
  4. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  5. Click Update.

Update the User Role Policy in SecureW2

To update the user role policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > User Roles.
  2. For DEFAULT ROLE POLICY 1, click Edit.
  3. Select the Conditions tab.
  4. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  5. Click Update.

Add a User Role Policy in SecureW2

To add a user role policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > User Roles.
  2. Click Add Role.
  3. For Name, enter a name.
  4. Click Save.
  5. Select the Conditions tab.
  6. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  7. In the Attribute/Groups section, confirm that the Groups list shows the group you created in the previous section.
  8. Click Update.

Add an Enrollment Policy in SecureW2

To add an enrollment policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. For Name, enter a name.
  4. Click Save.
  5. Select the Conditions tab.
  6. In the User Role list, select the user role policy you created in the previous section.
  7. Click Update.

Republish Your Network Profile

To republish your network profile:

  1. From your SecureW2 Management Portal, go to Device Onboarding > Network Profiles.
  2. For your network profile, click Re-publish.
  3. In the Republish Network Profile window, click OK.
    • NOTE: You should republish your network profile every time you make a significant change. The process takes 60-90 seconds.

FAQ:

Why Should WPA2-Enterprise with Azure AD Be Set Up through the Cloud?

Azure AD can be integrated with SecureW2, so that the entire infrastructure required for 802.1x is in the cloud. Many organizations are pushing for an all-cloud initiative, and SecureW2 enables organizations to move away from their legacy on-premise Active Directory servers to adapt to a modern Azure AD in the cloud. Moving away from on-premise AD, increases security, reduces costs, and allows a wider range of application support because Azure AD supports SAML authentication while on-premise AD requires LDAP which isn’t supported by most modern applications.

Does Azure support Certificate Signing Requests?

Deploying certificates can be difficult with Azure because it does not support Certificate Signing Requests (CSR), which is a security risk. You will either need to create your own CSR, or you can use SecureW2’s Management Portal to seamlessly integrate your CAs and get CA-approved certificates on Azure.

Can I setup a PKI with Azure?

With SecureW2, you can set up your own cloud PKI in just a few hours without needing to overhaul your entire network infrastructure. We do this by integrating a Azure AD SAML application with our PKI, so users can enter their Azure AD credentials to enroll for a certificate.

Can I Integrate AD CS with Azure AD?

Organizations wanting to switch over to cloud environments realize it’s unnecessary to keep or build Active Directory Certificate Services (AD CS) because it requires Active Directory. Azure is incompatible with AD CS, leaving many stuck with clunky, on-premise hardware.

Luckily, SecureW2 has a solution to configure AD CS certificates for EAP-TLS authentication. Our Management Portal can replace the AD CS backend to better manage certificates and push configuration payloads onto AD-managed devices.

Setting up WPA2-Enterprise with Azure is easy when you use SecureW2. Most importantly, it keeps your network and its users secure. SecureW2 is also regarded as one of the most cost effective solutions in its class. Click here to learn about our pricing.

Microsoft Azure is a registered trademark of Microsoft Corporation in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.