Organizations from around the world are making the much-needed transition to cloud-based network solutions. To ease the transition, Microsoft created Azure to aid clients moving their directories from on-premise Active Directory (AD) to the cloud.
However, Azure is limited compared to AD when it comes to support for RADIUS backed WPA2-Enterprise Wi-Fi. AD is an on-premise solution, and Azure AD doesn’t offer an integrated and managed RADIUS solution.
So if you want to migrate to the cloud, you might get stuck and have to keep the AD-domain hardware. Luckily, if you use Microsoft Azure as your SAML provider, there are a number of different methods you can use to implement a RADIUS-backed Azure system.
Azure AD RADIUS Authentication Services
Due to Azure AD not having native RADIUS server functionality, network administrators have to employ a number of different methods for securing their on-prem wireless Internet access. Here are a few examples:
Azure AD with Network Policy Extension (NPS)
A common method is configuring Azure MFA with an NPS extension for RADIUS authentication. However, this service is usually quite time consuming for configuration and requires upkeep and maintenance.
Another issue comes from Microsoft’s solution being limited in that it only supports RADIUS authentication and MFA, meaning that the network must do both every time. In addition, this method can only work via a password authentication protocol (PAP), which is far less secure than its 802.1x certificate counterpart.
Azure AD With FreeRADIUS
Another solution for adding RADIUS capability to Azure AD is to implement and configure a virtual FreeRADIUS server.
To do this, network administrators need to secure LDAP for a managed domain in Azure AD DS and create a VM to host FreeRADIUS in the same virtual network as AD DS. This process is unfortunately quite time consuming as well and any missed step can lead to an unsecure network.
If you have the technical skills and resources, this method may be a suitable solution for you. However, most organizations simply don’t have the time to create a suitable FreeRADIUS solution.
Azure RADIUS Server With SecureW2
Luckily, if you use Microsoft Azure as your SAML provider, you can easily set up a WPA2-Enterprise network equipped with Cloud RADIUS using SecureW2.
Our JoinNow Connector solution fully integrates your Azure system for WPA2-Enterprise, allowing you to safely and effortlessly use certificate based security for Azure and AD devices.
Can Azure AD be used as a Wi-Fi SSO?
Yes! SecureW2’s onboarding clients use Azure as a Wi-Fi SSO, except that the credentials aren’t used for Wi-Fi authentication. Instead, they are used to enroll for a Wi-Fi certificate, which is then used for authentication. This not only provides a high level of flexibility, but also stronger overall cybersecurity. It’s the best defense against over-the-air credential theft.
Can I Use My Existing PEAP-MSCHAPv2?
SecureW2 is able to set up a RADIUS server that can service both PEAP-MSCHAPv2 and EAP-TLS protocols while simultaneously ensuring that devices are properly configured for either protocol with the MultiOS Device Onboarding platform.
The most common setup we see among organizations supporting both protocols is to keep one Secure SSID and configuring the RADIUS server to support both protocols. A properly configured RADIUS server will respond to a PEAP-MSCHAPv2 or EAP-TLS request in the appropriate manner, allowing devices using different protocols to seamlessly connect to one SSID.
SecureW2 Can Make Azure Integration Easy
With SecureW2 you can have your secure network set up in ta matter of hours and have a support team ready to assist you with any of your questions. We have affordable solutions for organizations of all sizes, check out our pricing here to see if we can be of service.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Eytan Raphaely. Read the original post at: https://www.securew2.com/blog/use-azure-with-a-radius-server/