Support NPS/RADIUS for Azure AD Domain Services
Add support for Microsoft NPS/RADIUS in Azure AD Domain Services
@Daniel Buehlmann, @Chris Chambers:
Just a quick update, I have this working now with AADDS and an NPS server as an Azure VM.
The solution is NOT to try and register the NPS server in the directory (which is impossible with AADDS at the moment). But instead just to join the NPS server to AADDS and start using the NPS server as normal. As long as it is joined to AADDS, it will work. I tested with RADIUS authentication and it is working.
Robert Russell commented
This is possible if you're using AADDS in Azure. Make an NPS server, join it to AADDS, send your RADIUS requests to it and set the network policy to allow Domain Users from your domain. It will work. You do not need to register the server.
For anyone else out there who's doing this - I achieved an "SSO" VPN with MFA using these pieces:
Azure Active Directory Domain Services domain
NPS Server, Windows 2016
Meraki Security Appliance (which forwards requests to a RADIUS server)
Intune (Pushes the VPN profile)
MFA Extension for NPS servers (You must use push notification or phone call for MFA if you do this)
If you want to load balance this as well, I was able to, but you need to put both an external and an internal load balancer between the two NPS servers. This allows the MFA extension to make outbound connections to the web. You only allow RADIUS requests on the internal.
I'm going to be testing to see if this works with our Wi-Fi APs but I honestly don't see why it wouldn't.
Jerry Chow commented
I can confirm the following configuration works, there are some non-documented or poorly documented requirements that gave us some problems initially:
AADDS (no on-prem or in-VM AD DS)
NPS Server with NPS Extension for Azure MFA
Azure VPN Gateway (Point-to-Site)
The *MOST* important takeaways that gave us trouble are that CHAPv2 does not support PIN-based MFA, so you *MUST* use either phone call or PUSH notification (notification from mobile app).
The second issue that was not well-documented was that you MUST enable the following enterprise app services in Azure AD and add the corresponding users or groups to them:
Azure Multi-Factor Auth Client
Azure Multi-Factor Auth Connector
I found reference to these two app services on some guy's blog and it was the missing link and last piece to get Azure MFA/NPS/VPN working with AADDS.
Microsoft, is this on any roadmap. I feel as if these comments are going out into the wind!
I was about to make the jump to Azure AD, but with no NPS/Radius, I cannot and I have no interest in running a dedicated AD server on prem or on a cloud VM
Nathan Zaetta commented
+1. NPS/Radius auth for AADDS/ADDS is a must.
Certificates are not manageable at scale.
@Mark Lawton. Yes without any on prem AD. It was about 18 months ago this was set up but its still working. I'm trying to remember if there was an issue with the NPS registration, but, it still worked regardless. In any case, we have NPS running on a windows azure VM authenticating against AADDS using radius.
As per Marks post I specifically asked MS if we could install NPS on a VM in Azure so it would integrate directly with AAD and they told me it is not possible.
The concept is to have no on-prem AD domain controllers. Users and clients (Win10) all in AAD only. Then for wireless we need RADIUS authentication against AAD so a WLC can send RADIUS requests to NPS on VM in Azure (via ER or IPsec VPN connection). NPS will perform password checks & group membership lookup from AAD to be used for authentication & authorisation.
Installing NPS on a VM in Azure then pointing back to an on-prem domain which is syncing with AAD does not meet the objective.
Most of my RADIUS experience is with ISE but I had expected/hoped MS would have NPS solution for AAD ready on their side. Probably wishful thinking that at some stage soon we will have vWLC appliance & virtual ISE appliance supported in Azure and ISE be able to integrate into AAD domain!
Mark Lawton commented
Gerry - without any on prem AD?
If so, how? When trying to register NPS to the domain it fails to register.
Microsoft told me the following:
There are restrictions in Azure AD domain services which wont allow NPS extension to function correctly and the setup wont complete. In any case Azure AD domain services was not designed to be exactly same as on-prem Active Directory hence lacks many controls and capabilities as compared to on-prem AD .
We have this working. Currently have VM running NPS acting as a radius server authenticating users against AADDS.
Please Ramoo, could you be more specific what is not compatible ? Why you cannot have on VM installed RAdius server connected to Azure AD Domain services ?
Spoke with MS chat on this today & confirmed still not possible/supported (NPS integration directly with AAD with NPS installed on VM in Azure).
This is a common enterprise requirement; RADIUS integration with AD for wireless and other service authentication. To be able to remove on-prem AD this would be very useful - is this on the MS roadmap?
Possible alternative would be EAP-TLS with no policies referencing AD but preference would be have the ability/option to integrate directly with AAD too.
Really surprised that this is not suppoerted yet!
I need this as well. Have Azure VPN for clients via Azure Gateway, need Radius for AAD auth.
Yesterday, I recreated our Azure AD Domain Services and NPS in a new subscription. NPS was previously registered and working for nearly a year in the old subscription. Creating AADDS in the new subscription required me to delete the old AADDS resource as you can only have one. After I created AADDS again in the new one I wasn't able to register the new NPS server.
Come on Microsoft, it was literally working in the old one yesterday! Get this working please!!!
Now I'll try the FreeRadius mentioned by Hamish.
Hello Microsoft ? NPS with AADDS still does not work.
Hamish Anderson commented
I could not wait so I did a work-around of using freeRadius authenticating against AAD via LDAP. The details are here:
Daniel Buehlmann commented
I'm not sure about the workaround from Antonio Soares!? I don't see the step where I can connect (register) the NPS with the Azure Active Directory Domain Services to authenticate users against the AADDS (AAD users are synched automatically to AADDS).
Do I miss something? Has anybody running this configuration successfully? Or a similar configuration together with a 3rd party Radius server (like ClearBox Enterprise)?
@Microsoft: Any news?
Mark Lawton commented
Am I correct in saying that a few people have managed to register NPS in AADDS which syncs with AAD? (Antonio Soares description)
If so... I'm guessing that used to work but no longer does as I get a permissions issue when attempting to register NPS to AADDS?