How to Set Up RADIUS With Azure VPN Gateway

Deploying a RADIUS server can improve your network by providing strong security measures. When configured correctly, a RADIUS server can allow you to authenticate any verified user and equip you with a strong defense against potential threats. Using a RADIUS server with a VPN can allow you to dynamically grant VPN access to users in your directory and keep those without permission out. Cloud RADIUS makes connecting to a VPN server quick and efficient by integrating with your Identity Provider (IDP)/ Directory and easily authenticating your users for a secure connection. 

This guide will tell you how to easily set up Cloud RADIUS with Azure VPN Gateway to authenticate users for certificate-based VPN access.

We will accomplish this by using SecureW2 (Cloud RADIUS’ parent company) onboarding software that syncs with your IDP so users can verify their identities to self-configure themselves for a secure connection in seconds.

This guide will cover everything you need to know to set up Cloud RADIUS with Azure VPN Gateway.

Configure SAML Azure Application with SecureW2

1. From your Microsoft Azure Portal, use the search feature to go to Enterprise applications.
2. In the main pane, click New application.
3. In the Add an application pane, under Add from the gallery, enter ‘SecureW2‘ in the search field.
   • If the SecureW2 JoinNow Connector application appears:
     1. Select it.
     2. In the Add your own application pane, click Add.
   • If the SecureW2 JoinNow Connector application does not appear:
     1. Click Non-gallery application.
     2. In the Add your own application pane, for Name, enter a name.
     3. Click Add.

Create an Identity Provider in SecureW2

1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
2. Click Add Identity Provider.
3. For Name, enter a name.
4. For Description, enter a description.
5. Click the Type dropdown and select SAML.
6. Click the Saml Vendor dropdown and select Azure.
7. Click Save.

Configure Single Sign-On in Azure

1. From your Microsoft Azure Portal, click Configure single sign-on (required).
2. Click the Single Sign-on Mode dropdown and select SAML-based Sign-on.
3. In a new browser tab/window, log into your SecureW2 Management Portal and go to Identity Management > Identity Providers.
4. Click Edit for the IDP you created in the previous section.
5. Select the Configuration tab.
6. Copy and paste as follows:
   • From SecureW2, copy the information for EntityId and ACS URL, and
   • Paste respectively into Azure for Identifier and Reply URL.
7. In the SAML Signing Certificate section, in the DOWNLOAD column, click Metadata XML. Save the metadata file (.xml) to your computer.
8. Click Save.

Configure the IDP with Azure Metadata

1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
3. Select the Configuration tab.
4. Under Identity Provider (IDP) Info, for Metadata, click Choose File.
5. In the window that appears, select the metadata file (.xml) you saved to your computer in the previous section.
6. Click Upload.
7. Click Update.

Integrate Active Directory with Azure SAML Application

1. From your Microsoft Azure Portal, go to the JoinNow Connector Application, or the SAML application you created in the section “Create a SAML Application in Azure”.
2. Go to Manage > Users and groups.
3. Click Add User.
4. In the Users and groups pane, use the Select field to search for the user by name or email.
5. Select the user, and then click Select.
6. In the Add Assignment pane, click Assign.

Grant SAML Application Access to Active Directory

1. From your Microsoft Azure Portal, use the search feature to go to App registrations.
2. Next to the search field, click the dropdown and select All apps. This displays a list of all available applications.
3. Click your application.
4. In the pane that appears for your application, click Settings.
5. In the Settings pane, click Required permissions.
6. In the Required permissions pane, click Add.
7. In the Add API access pane, click 1 Select an API.
8. In the Select an API pane, select Windows Azure Active Directory.
9. Click Select.
10. In the Add API access pane, click 2 Select permissions.
11. In the Enable Access pane, select:
    • Read directory data
    • Read all groups
    • Read all users’ full profiles
12. Click Select.
13. In the Add API access pane, click Done.
14. In the pane for your application, click Settings.
15. Click Manifest > Edit.
16. In the Edit manifest pane, in the source code:
    • For the ‘groupMembershipClaims‘ variable, change the value to ‘All‘.
17. Click Save.

Create a VPN Gateway

Once you have everything configured, you can move forward to setting up the Azure VPN with your Cloud RADIUS server by following the proceeding steps:

1. Configure and create the VPN gateway for your VNet.
   • The -GatewayType must be ’Vpn’ and the -VpnType must be ’RouteBased’.
   • A VPN gateway can take up to 45 minutes to complete, depending on the gateway SKU you select.

Retrieve your Cloud RADIUS IP, Port, and Shared Secret

Retrieving your RADIUS information from SecureW2 is simple. Follow these steps to move forward with setting up your VPN:

1. Log on to your SecureW2 management portal.
2. On the left navigation bar find AAA Management.
   • Click AAA Configuration.

Now you should have access to your RADIUS’ Primary and Secondary IP, Port number, and shared secret.

Add the Cloud RADIUS Server and Client Address Pool

• The RadiusSecret should match what is shown on Cloud RADIUS 
• The VpnClientAddressPool is the range from which the connecting VPN clients receive an IP address. Use a private IP address range that does not overlap with the on-premise location that you will connect from, or with the VNet that you want to connect to. Ensure that you have a large enough address pool configured.

1. You are prompted to enter the RADIUS secret. The characters that you enter will not be displayed and instead will be replaced by the “*” character.
2. Add the VPN client address pool and the RADIUS server information.

Download the VPN Client Configuration Package and Set Up the VPN Client

The VPN client configuration lets devices connect to a VNet over a P2S connection. To generate a VPN client configuration package and set up the VPN client, see Create a VPN Client Configuration for RADIUS authentication.

Connect to Azure

1. To connect to your VNet,  navigate to VPN connections on the client computer and locate the VPN connection that you created. It is named the same name as your virtual network. Enter your domain credentials and click ’Connect’. A pop-up message requesting elevated rights appears. Accept it and enter the credentials.

Dynamic RADIUS with Azure

During a typical RADIUS authentication event, the RADIUS communicates with the CRL to make sure that users that are not approved to access the network are denied entry. However, due to human error, if the IT staff forget to revoke a certificate there can be a slight window of opportunity for that unapproved and revoked user to have access to your network.

 Cloud RADIUS with SecureW2 fixes that issue by allowing the RADIUS to communicate securely with cloud-based Identity Providers, in addition to checking the  Certificate Revocation List (CRL), to make sure that only approved users are allowed access to your network.

In addition to the security benefits, it enables policy enforcement at the moment of authentication. So if a user gets a promotion, and requires a different level of network security, they will automatically have it applied by the RADIUS server the instant they are updated in the directory. Curious about our Dynamic Cloud RADIUS? Contact us here to learn more.

Cloud RADIUS with Azure

Cloud RADIUS conveniently comes with SecureW2’s onboarding software that allows for a simple way to establish a secure connection and authentication for your network through a VPN. Setting up a VPN is a task in and of itself; Cloud RADIUS makes the process of authenticating approved users for a VPN connection simple and saves your IT admin time and headaches from having to manually set up your RADIUS server. You can find out about our pricing here and start getting your devices enrolled and protected in just a few hours.