How to Set Up RADIUS Authentication with Azure AD

Organizations around the world are making the much needed transition from insecure pre-shared key authentication to RADIUS-based, 802.1x authentication for their wireless network. However, it can be difficult to integrate to a WPA2-Enterprise system if you want to use a cloud directory. 

 

One challenge we’ve been seeing in the field is enrolling users for 802.1x authentication without Active Directory. In response, we designed a solution that provides organizations with everything they need for 802.1x, no matter the directory they use. With SecureW2’s onboarding software, you can allow end users to seamlessly enroll themselves for 802.1x with a simple SSO that’s compatible with Azure AD.

 

SAML applications provide a secure and efficient method for confirming the identity of valid users within the Identity Provider (IDP). By utilizing the SAML protocol with SecureW2’s 802.1x solutions, network admins can guarantee that only those users who are identified within the IDP are able to access the secure network. Their devices can also be enrolled for certificates, enabling highly secure Wi-Fi, VPN, and Web-Application Authentication.

 

In this article we will explain how to set up RADIUS authentication with Azure AD.

 

Create an Identity Provider in SecureW2

 

“Creating” an IDP in SecureW2 tells our 802.1x onboarding software and Cloud RADIUS server how to connect to your Azure AD so SecureW2 can verify user credentials and issue certificates to be authenticated by the RADIUS server.

 

To create an IDP in SecureW2:

 

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. For Name, enter a name.
  4. For Description, enter a description.
  5. Click the Type dropdown and select SAML.
  6. Click the Saml Vendor dropdown and select Your chosen vendor.
  7. Click Save.

How To Use Azure AD for RADIUS Authentication

 

Azure AD is becoming an extremely popular IDP as organizations move away from their on-premise Active Directory infrastructure and head to the cloud. However, Microsoft does not natively support RADIUS authentication with Azure AD. 

 

Below, we’ll outline how you can set up Azure AD as a SAML application to enroll users for 802.1x using SecureW2’s onboarding software. Once complete, the RADIUS server will be able to authenticate devices against Azure AD. 

 

Creating a SAML Application in Azure for 802.1x Enrollment

 

To create a SAML application in Microsoft Azure:

  • From your Microsoft Azure Portal, use the search feature to go to Enterprise applications.
  • In the main panel, click New application.

 

In the Add an application panel, under Add from the gallery, enter ‘SecureW2‘ in the search field.

If the SecureW2 JoinNow Connector application appears:

  1. Select it.
  2. In the Add your own application panel, click Add.
  3. If the SecureW2 JoinNow Connector application does not appear:
    1. Click Non-gallery application.
    2. In the Add your own application panel, for Name, enter a name.
    3. Click Add.

 

Configuring your RADIUS Server to Authenticate Against Azure AD

 

When you enroll users for certificates using Azure AD alongside SecureW2, it allows you to leverage any RADIUS server to authenticate against Azure AD. For this guide we’ll be using our Cloud RADIUS, because it comes pre-configured for EAP-TLS, certificate-based authentication.

 

To configure Cloud RADIUS:

  1. Navigate to AAA management in the management portal
    1. Locate and save your primary and secondary IP address and shared secret
  2. Navigate to your AP
    1. Create a secure SSID
    2. Input your primary IP and your shared secret
    3. Input your secondary IP and shared secret as a backup radius server

 

Enrolling BYODs for Azure AD

 

SecureW2 automates the device onboarding process for end users with our #1 rated 802.1x onboarding clients, eliminating the risk of user misconfiguration and MITM credential theft.

 

The SecureW2 solution redirects users to the Azure Single-Sign-On where they enter in credentials, and then SecureW2 enrolls their device for a certificate and configures it for 802.1x. 

 

Now, organizations no longer have to be tied up managing outdated hardware, like their on-premise Active Directory servers. Devices only need to be authenticated once and are set until the certificate expires.

 

Enrolling Managed Devices for Azure AD

 

For managed devices, many organizations with Azure use Microsoft’s MDM, Intune. SecureW2 integrates with Intune through our Gateway APIs. You can use the gateway to push policies and configuration settings onto Intune devices  so they can auto-enroll themselves for 802.1x digital certificates automatically, and IT admins don’t need to lift a finger to get managed devices configured for 802.1x. Click here for our Intune integration guide.

 

RADIUS Authentication with Azure AD and SecureW2

 

With SecureW2, you can have a secure, RADIUS-backed network set up in a matter of hours and have a support team ready to assist you with any questions. We easily work with all SAML identity providers to skip any headaches associated with the integration process. We have affordable solutions for organizations of all sizes; check out our pricing here to see if we can be of service.

Related Post