Authenticating wireless access points \ RADIUS through Azure AD
I would like to see Authenticating wireless access points \ RADIUS servers through Azure AD , not having to store user accounts in local active directory
Jimmie Martin commented
Yes please! Time to start finalising functionality in AAD - everyone loves it.
Ghisaidoobe, Rochen commented
A scenario: a hard requirement for for us is to use Azure MFA with AWS Workspaces. AWS Workspaces only supports Radius Auth as 2FA, not modern authentication (oAuth).
In the existing infrastructure is available: ADFS, AAD Connect, Azure AD Premium. Reading what Antonio has described, theoretically we can utilize Radius (MSCHAPv2) in Azure AD Domain Services if we also start synching the Kerberos hashes to the cloud.
I would love to see this confirmed by Microsoft. I will be a huge benefit for MS also to mention that not only the legacy protocols like NTLM/Kerberos are supported, but also Radius authentication. At that moment there are very less boundaries left with a journey to the cloud...
@Anthony - can I ping you offline? I have a question about your config.
Branislav Susa commented
This is a must. Please push this forward.
Microsoft, please take this into account and deliver a working solution, please!
Hi, fellow colleagues.
I have a working solution using AzureAD + AADDS + NPS VM on Azure.
Implement Azure Directory Services, peer VNETS between AADDS and Virtual machines and domain join a VM to AD.
Install NPS and use a valid public certificate to identify NPS on PEAP.
Build a VPN from Azure VM VNET to on-prem.
Register radius clients, as usual, in NPS and configure policies.
There is no way to use digital certificates for auth, as a local CA cannot be registered in AD as AD Enterprise CA.
Use LEAP + MSCHAP v2.
I'm authenticating users on wireless, SSH for privileged access and firewall auth.
I absolutely agree with almost everything that has been said in this thread. Having RADIUS and LDAP for authentication and directory services would be huge for usability and cloud only environment. There are many RADIUS aas, Directory aas, etc out there, add the functionality and bundle, make a profit. Most of us would be happy to pay more for something that is hosted and mostly managed by microsoft when all of us are already using AAD for identity.
Azure AD centralize authentification but still not take in charge RADIUS, it's a bit non sense.
Even if functionalities aren't as detailed as a classic AD, we need at least to keep a way to authenticate users on equipements.
Jan Hajek commented
Hey guys, take a look at https://radius365.edulog.in (I am one of the developers of this solution), it offers integration with Office 365, RadSec protocol, eduroam integration and is fully managed.
Mihails Rubinovs commented
Microsoft is truly ignoring scenarios when you have only Azure AD as part of your Office 365 subscription. Why would you even call it AD? no LDAP, no policies, no OU.... I need AADDS to get all features.
Yup. I fully support this suggestion.
"Yes I can". This involves some screenshots. What could be the best way to share. It would be great to have feedback and improvements.
I got a breakthrough and I'm now using NPS
John Paget Bourke commented
Antonio, any chance you could share the solution ?
I agree with everyone and just got this up and running using MFA. Not the best solution but I managed to put MFA as a proxy to AADDS.
Now Microsoft has to tweak NPS and make it stand alone.
Peter Selch Dahl commented
Microsoft Denmark already have a solution online that uses Azure AD for authentication for guest. This solution is provided by Microsoft IT so it should be available globally. You can see some screenshot of the solution here: http://imgur.com/a/B17Ej
It would be great, if they would share this solution with the world :)
/Peter Dahl - Azure MVP
is there any solution to do so? looking forward to realize :)
Elwin Boes commented
Yes definitely would like / need this. Now i still need to have a local AD with MFA and AD connect only for wifi accesspoints and vpn.
A simple Auth Proxy for legacy protocols would be tremendous.
Not only for AP's but, firewall L8 identification, switching admin access, etc. Mainly for devices that rely on local auth to operate.
Please develop a reverse proxy/MFA on-prem agente like software that can act as NPS against Azure AD.
James Schwarzmeier commented
I'm not sure how this would interact when users have MFA enforced on their Azure AD accounts, but we would want to see that included as part of this support.