Authenticating wireless access points \ RADIUS through Azure AD
I would like to see Authenticating wireless access points \ RADIUS servers through Azure AD , not having to store user accounts in local active directory
@David Harris, I'm with you David.
David Harris commented
Azure Radius as a service. Of course I can (have) spin up some VM's, install NPS, maybe add a load balancer, manage and patch the VM's, but this all seems overkill in this day and age . My current requirement for Meraki radius auth should' be as simple as talking to a service in Azure, right?
Anonymous, AzureAD updates passwords and their hashes on AADDS. I have that running.
I agree with you with not receiving early password expiration notifications.
Also looking for this functionality. We have the same set up as Antonio Soares. This solution works, however, there is a catch 22 with password changes because AADDS is not a writeable directory. Also, as Azure portal users users do not get any notifications from Azure AD that the password is going to expire it makes things even worse.
This is a must for us to move away from the traditional AD.
Rakesh Upadhyay commented
Can Azure VPN (P2S) Authenticate with user name & password stored in Azure AD or can RADIUS running as Azure IaaS VM talk to AAD for P2S Auth.
Still working today and other fellow colleagues that read this thread are also using this workaround.
So few needed to have this working MS.
Jason Wilson commented
Yes please. Your customers would literally throw money at you.
Great idea to deliver Radius as a Service via Azure AD. Our wifi authentication through 802.11X is one thing preventing us from moving away from traditional AD.
PLEASE add this feature! With Meraki devices you can auth with Google for wireless access in a company which is great for G Suite users but no such luck with Office 365 / Azure. You can use something like Jumpcloud that offers RADIUS as a service but it is a work around for old school tech.
Jimmie Martin commented
Yes please! Time to start finalising functionality in AAD - everyone loves it.
Ghisaidoobe, Rochen commented
A scenario: a hard requirement for for us is to use Azure MFA with AWS Workspaces. AWS Workspaces only supports Radius Auth as 2FA, not modern authentication (oAuth).
In the existing infrastructure is available: ADFS, AAD Connect, Azure AD Premium. Reading what Antonio has described, theoretically we can utilize Radius (MSCHAPv2) in Azure AD Domain Services if we also start synching the Kerberos hashes to the cloud.
I would love to see this confirmed by Microsoft. I will be a huge benefit for MS also to mention that not only the legacy protocols like NTLM/Kerberos are supported, but also Radius authentication. At that moment there are very less boundaries left with a journey to the cloud...
@Anthony - can I ping you offline? I have a question about your config.
Branislav Susa commented
This is a must. Please push this forward.
Microsoft, please take this into account and deliver a working solution, please!
Hi, fellow colleagues.
I have a working solution using AzureAD + AADDS + NPS VM on Azure.
Implement Azure Directory Services, peer VNETS between AADDS and Virtual machines and domain join a VM to AD.
Install NPS and use a valid public certificate to identify NPS on PEAP.
Build a VPN from Azure VM VNET to on-prem.
Register radius clients, as usual, in NPS and configure policies.
There is no way to use digital certificates for auth, as a local CA cannot be registered in AD as AD Enterprise CA.
Use LEAP + MSCHAP v2.
I'm authenticating users on wireless, SSH for privileged access and firewall auth.
I absolutely agree with almost everything that has been said in this thread. Having RADIUS and LDAP for authentication and directory services would be huge for usability and cloud only environment. There are many RADIUS aas, Directory aas, etc out there, add the functionality and bundle, make a profit. Most of us would be happy to pay more for something that is hosted and mostly managed by microsoft when all of us are already using AAD for identity.
Azure AD centralize authentification but still not take in charge RADIUS, it's a bit non sense.
Even if functionalities aren't as detailed as a classic AD, we need at least to keep a way to authenticate users on equipements.
Jan Hajek commented
Hey guys, take a look at https://radius365.edulog.in (I am one of the developers of this solution), it offers integration with Office 365, RadSec protocol, eduroam integration and is fully managed.