RADIUS Authentication with Azure AD

Many organizations today are adopting cloud-based network solutions for their networks. Microsoft created Azure AD to help clients move their directories from an on-premise Active Directory (AD) server to the cloud.

Some have adapted by syncing their Azure AD with an LDAP server, but this solution still uses PEAP-MSCHAPv2 for authentication.

EAP-TLS (certificate-based authentication) requires a Public Key Infrastructure to enroll and manage certificates to be used for Wi-FI. That’s why Cloud RADIUS was designed to easily integrate with Azure AD, so organizations can easily use their Azure AD for WPA2-Enterprise. Below we break down the solution into three steps:

  1. Tie your PKI Infrastructure to Azure AD.
  2. Tie your RADIUS Infrastructure to Azure AD.
  3. Tie your Device Management platform to the SecureW2 (Parent of Cloud RADIUS) cloud PKI.

End-users can enter their credentials into the SAML app, which are then sent to and verified by Azure AD. Once Azure AD sends back attributes, the SAML app will share them with SecureW2 PKI to issue certificates.

To create a SAML application in Microsoft Azure:

  1. From your Microsoft Azure Portal, use the search feature to go to Enterprise applications.
  2. In the main pane, click New application.
  3. In the Add an application pane, under Add from the gallery, enter ‘SecureW2‘ in the search field.
    • If the SecureW2 JoinNow Connector application appears:
      1. Select it.
      2. In the Add your own application pane, click Add.
    • If the SecureW2 JoinNow Connector application does not appear:
      1. Click Non-gallery application.
      2. In the Add your own application pane, for Name, enter a name.
      3. Click Add.

An identity provider (IDP) is the system that proves the identity of a user/device.

Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to your Azure user database, verify user credentials, and issue certificates.

To create an IDP in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. For Name, enter a name.
  4. For Description, enter a description.
  5. Click the Type dropdown and select SAML.
  6. Click the Saml Vendor dropdown and select Azure.
  7. Click Save.

Now, SecureW2 Cloud Connector knows how to exchange information with your Azure user database.

To configure single sign on in Microsoft Azure:

  1. From your Microsoft Azure Portal, click Configure single sign-on (required).
  2. Click the Single Sign-on Mode dropdown and select SAML-based Sign-on.
  3. In a new browser tab/window, log into your SecureW2 Management Portal and go to Identity Management > Identity Providers.
  4. Click Edit for the IDP you created in the previous section.
  5. Select the Configuration tab.
  6. Copy and paste as follows:
    • From SecureW2, copy the information for EntityId and ACS URL, and
    • Paste respectively into Azure for Identifier and Reply URL.
  7. In the SAML Signing Certificate section, in the DOWNLOAD column, click Metadata XML. Save the metadata file (.xml) to your computer.
  8. Click Save.

To upload the Azure metadata to SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  3. Select the Configuration tab.
  4. Under Identity Provider (IDP) Info, for Metadata, click Choose File.
  5. In the window that appears, select the metadata file (.xml) you saved to your computer in the previous section.
  6. Click Upload.
  7. Click Update.

After you’ve configured your SAML Application in Azure and SecureW2, it’s time to assign users to it. You can do this by directly assigning users, if you have them stored in Azure, or you can integrate it with your Active Directory. Below we will show you how to do both.

  1. From your Microsoft Azure Portal, go to the JoinNow Connector Application, or the SAML application you created in the section “Create a SAML Application in Azure”.
  2. Go to Manage > Users and groups.
  3. Click Add User.
  4. In the Users and groups pane, use the Select field to search for the user by name or email.
  5. Select the user, and then click Select.
  6. In the Add Assignment pane, click Assign.

To allow your SAML application to access Active Directory:

  1. From your Microsoft Azure Portal, use the search feature to go to App registrations.
  2. Next to the search field, click the dropdown and select All apps. This displays a list of all available applications.
  3. Click your application.
  4. In the pane that appears for your application, scroll under Manage and click API Permissions.
  5. Under Configured Permission, click Add A Permission.
  6. In the Request API permissions pane, select Microsoft Graph and Delegated Permission.
  7. Select the following permissions:
    1. Directory.Read.All

    2. Group.Read.All
    3. User.Read.All
  8. Click Add Permissions. You should see the following image.
  9. In the pane for your application, click Settings.
  10. Click Manifest > Edit.
  11. In the Edit manifest pane, in the source code:
    • For the ‘groupMembershipClaims‘ variable, change the value to ‘All‘.
  12. Click Save.

 

Certificates attach a name or device ID to every network connection, establishing device and user trust with a high degree of assurance. They can also be encoded with Azure AD attributes, making it easy to implement group policies and establish strong role-based access control.

To configure attribute mapping in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  3. Select the Attribute Mapping tab.
  4. Click Add.
  5. For Local Attribute, enter ‘upn‘.
  6. Click the Remote Attribute dropdown and select USER_DEFINED.
  7. In the field that appears, enter ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name‘.
  8. Click Next.
  9. Click Add.
  10. For Local Attribute, enter ‘email‘.
  11. Click the Remote Attribute dropdown and select USER_DEFINED.
  12. In the field that appears, enter ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress‘.
  13. Click Next.
  14. Click Add.
  15. For Local Attribute, enter ‘displayName‘.
  16. Click the Remote Attribute dropdown and select USER_DEFINED.
  17. In the field that appears, enter ‘http://schemas.microsoft.com/identity/claims/displayname‘.
  18. Click Next.
  19. Select the Basic tab.
  20. For Group Map Attribute, enter ‘http://schemas.microsoft.com/ws/2008/06/identity/claims/groups‘.
  21. Select the Groups tab.
  22. Click Add.
  23. For Local Group, enter a name.
  24. In a new browser tab/window, log into your Microsoft Azure Portal and go to Azure Active Directory > Groups > All groups.
  25. Use the Name field to search for the group.
  26. Click the group, and then go to Properties.
  27. For Object ID, copy the value.
  28. Return to your SecureW2 Management Portal.
  29. For Remote Group, paste the Object ID value.
  30. Click Create.
  31. Click Update.

To update the profile policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > Profile.
  2. Click Edit for the profile policy.
  3. Select the Settings tab.
  4. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  5. Click Update.

To update the user role policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > User Roles.
  2. For DEFAULT ROLE POLICY 1, click Edit.
  3. Select the Conditions tab.
  4. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  5. Click Update.

To add a user role policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > User Roles.
  2. Click Add Role.
  3. For Name, enter a name.
  4. Click Save.
  5. Select the Conditions tab.
  6. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  7. In the Attribute/Groups section, confirm that the Groups list shows the group you created in the previous section.
  8. Click Update.

To add an enrollment policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. For Name, enter a name.
  4. Click Save.
  5. Select the Conditions tab.
  6. In the User Role list, select the user role policy you created in the previous section.
  7. Click Update.

To republish your network profile:

  1. From your SecureW2 Management Portal, go to Device Onboarding > Network Profiles.
  2. For your network profile, click Re-publish.
  3. In the Republish Network Profile window, click OK.
    • NOTE: You should republish your network profile every time you make a significant change. The process takes 60-90 seconds.

SecureW2’s Cloud RADIUS has the industry-unique ability to perform directory lookups at the moment of authentication. This enables more policy enforcement options and a more robust authentication security.

New App Registration

  1. Login to Azure.
  2. Navigate to App Registrations.
  3. Click New Registration.
  4. Configure the following settings:

Note: Use your unique SecureW2 Organization URL as the Redirect URL like so; https://myorganization-auth.securew2.com/auth/oauth/code

Create a Client Secret

  1. Navigate to Manage.
    • Then click Certificates & secrets.
  2. Click New client secret.
    • Enter in a name under Description.
    • Select an expiration date under Expires.
    • Click Add.
    • Now you should see your Client Secret under the Value column.
      • Make sure to save this somewhere safe, as this secret is non-recoverable!

Create a Provider URL and Client ID

  1. Navigate to the Overview section and you will see a screen like below:
  2. Copy your Application (client) ID and save this for later.
  3. Copy your Directory (tenant) ID.
    • Insert it into the following URL:
      • https://login.microsoftonline.com/{Directory (tenant) ID}
      • Should look like this:
        • https://login.microsoftonline.com/561bc67f-1c86-4244-8bd4-5eb23cba44ac
      • Save this for later.

API Permissions

Lastly, we need to give this application permission to access the data in our Azure directory.

  1. Navigate to API Permissions under the Manage section.
  2. Click Add a permission and add the following permissions:
  3. After adding the permissions, click Grant admin consent for {your organization}.

Configuring RADIUS Lookup in Cloud RADIUS

An identity provider (IDP) is the system that proves the identity of a user/device. Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to your Azure user database, verify user credentials, and issue certificates.

During the authentication process, identity lookup validates that a user is active within the organization by checking the identifying information against the existing users in the Identity Provider.

  1. Navigate to Identity Providers in the Identity Management section.
  2. Click Add Identity Provider.
    • Enter a Name.
    • Description is optional.
    • Select Type as:
      • Identity Lookup Provider
        1. AZURE
  3. Click Configuration while still in the Identity Provider edit menu.
    • For Provider URL enter the URL we created before using the Directory (tenant) ID.
      • https://login.microsoftonline.com/{Directory (tenant) ID}
      • Which should look something like this: https://login.microsoftonline.com/561bc67f-1c86-4244-8bd4-5eb23cba44ac.
    • For Client ID enter in the Client ID that you retrieved from Azure previously.
    • For Client Secret enter in the Client secret you generated in Azure previously and saved in a secure place.
      • After updating the Identity Provider, this secret will not be retrievable, so make sure this is saved in a secure place.
    • Click Update.
  4. Lastly, click Authorize on your new Identity Lookup Provider.
  5. This will test the connection between SecureW2 and your Azure App.
  6. This is a mandatory step, as it grants our application the final authorization to call our Azure API to grant User Info.

Configuring Groups

Lastly, Cloud RADIUS can perform a User Group Lookup so we can create network access policies based off of the Groups a user is in.

  1. Navigate to the Groups tab.
  2. Click Add.
    • Create any name for Local Group.
      • This name will be what shows up later as our ‘Group’ in the SecureW2 Management Portal when we configure policies.
    • In Remote Group enter in the name of your Group as it is configured in Azure.
  3. Click Update.
  4. Repeat as necessary for any Group you wish to create Network Policies around.

 

Configuring Policies

Dynamic RADIUS allows the RADIUS to segment users and restrict/allow resources based on information stored in their directory entry. Since enforcement occurs at runtime, changes made to a user’s permissions are propagated throughout the system immediately rather than a day or two later, as is typical with most RADIUS servers.

Account Lookup Policy

Lookup Policies are how we tie our new Identity Lookup Provider to domains. Here we will create a condition that ties our domain to the new Identity Lookup Provider we just created in the previous section.

  1. Select Lookup under Policy Management.
  2. Click Add Identity Lookup Policy.
  3. Create a Name and click Save.
  4. Navigate to the Conditions tab.
    • Configure the following settings:
  5. Navigate to the Settings tab
    • Select the Identity Lookup Provider we just created in the previous section.

User Role Policy

Next, we need to create a User Role Policy for Network Authentication. This policy will be used by Cloud RADIUS’ Dynamic Policy Engine to lookup user status at the moment of authentication. Then Cloud RADIUS can dynamically apply Network policies, which we will configure next.

  1. Add a Role.
  2. Create a Name.
    • Because we need multiple User Roles, specifying this is for User Network Authentication is recommended.
  3. Click Save.
  4. Navigate to Conditions.
  5. Under Identity Provider: select the Azure Identity Lookup Provider that we just created in the previous section.
  6. Click Update.

Group Role Policy 

Lastly, we need to create Role Policies for any Groups that we want to give differentiated network access. We can then leverage Cloud RADIUS’ Dynamic Policy Engine to send unique RADIUS attributes based on the Group users belong to with our Network policies.

  1. Add a Role.
  2. Create a Name.
    • Because we need two User Roles, specifying this is for Group Network Authentication is recommended.
  3. Click Save.
  4. Navigate to Conditions.
  5. Under Identity Provider: select the Azure Identity Lookup Provider that we just created in the previous section.
  6. Under Groups select the group that we want to apply this Role to.
    • The group names that show up here, are the Local Groups that we configured previously in our Identity Lookup Provider.
  7. Click Update.

DEFAULT FALLBACK ROLE POLICY

You may notice that there is a “DEFAULT FALLBACK ROLE POLICY” in your User Role policies after you create a Identity Lookup Provider.

The purpose of this policy is: If the Identity Lookup fails, allow the user to still authenticate to the network but assign them a unique role.

This ensures that both users don’t experience disconnects if there’s a small hiccup in the connection between Azure and Cloud RADIUS, but your network can remain secure and you can have those users auto-assigned into a Guest VLAN.

Note: DEFAULT FALLBACK ROLE POLICY is by default assigned the DEFAULT NETWORK POLICY

Network Policy

The purpose of a Network Policy is to specify how Cloud RADIUS will authorize access to a particular User Role.

A typical Network Policy would say something like: “If User Role = Staff, authorize access and assign them to VLAN 2”.

You can configure any RADIUS Attribute to be sent to the wireless controller. If you leave the attribute section blank, it will just send Access Accept. To create and configure the Network Policy, follow the steps below:

  1. Click Network in the Policy Management section.
  2. Click Add Network Policy.
  3. Enter a Name.
  4. Click Save.
  5. Navigate to Conditions.
    • Select the User Role you want assigned this Network Policy.
      • For this guide, it would be the policy you created in the User Role Policy for Network Authentication section.
      • You can select multiple User Roles to assign a Network Policy to.
  6. Navigate to Settings.
    • Click Add Attribute.
      • Select the Attribute you wish to send to the wireless controller.
      • Enter in the Value appropriate for your attribute.
      • Click Update.
    • Repeat as necessary for all the attributes you want to send for your User Role.

Setting up 802.1X authentication for WPA2-Enterprise with Azure is easy when you use SecureW2. Most importantly, it keeps your network and its users secure. SecureW2 is also regarded as one of the most cost-effective solutions in its class. Click here to learn about our pricing.

Microsoft Azure is a registered trademark of Microsoft Corporation in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

CTA Background