Wifi Authentication with Cloud Radius and Active Directory

The IronWifi team can help you set up your secure network within hours and answer any questions you may have. 


By utilizing Microsoft Active Directory (AD), organizations can connect their core users to their Wi-Fi network while improving security.

For secure authentication, 802.1x requires the use of RADIUS servers. The most popular RADIUS configuration for Windows networks is Microsoft NPS. With organizations moving to the cloud, NPS has lost popularity. It is important to choose the right solution add-on to enable cloud-based authentication since NPS and AD do not come with cloud functionality by default.

Digital certificates are used instead of passwords in modern 802.1x deployment solutions. Managing certificates requires a Public Key Infrastructure (PKI). This can be done easily using a managed PKI, such as IronWifi's Cloud PKI, which also offers Cloud RADIUS.



802.1x Authentication with Active Directory

Port-based network access control (PNAC) is defined by Ethernet 802.1x. Typically, RADIUS is used for authentication. During authentication, RADIUS Servers verify client credentials against Active Directory. Segment network access can also be controlled by group policies.

Certificates can also be used instead of credentials by the RADIUS server. RADIUS server must be configured with the Certificate Authority (CA) that issues client certificates. Credential-based authentication requires access to an organization's directory. Most organizations use SAML or LDAP. When the RADIUS server uses x.509 certificates instead of passwords, you don't have to connect the RADIUS server to your directory.

In addition to PEAP-MSCHAPv2, you can use RADIUS and Active Directory authentication protocols. This is a quick overview.

businessman hand show 3d cloud icon with padlock as Internet security online business concept

 

What Protocol to Use for Wi-Fi Authentication

EAP-TTLS/PAP

Security protocols like EAP-TTLS/PAP require only server authentication, while user authentication is optional. Multiple authentication options are provided by TTLS. There are numerous flaws, however. The configuration of a single misconfigured device can be very costly to the organization, especially for inexperienced users. Credentials sent over a Common Access Protocol can be seen by hackers as cleartext, thus vulnerable to Man-in-the-Middle attacks. The least secure 802.1x authentication protocol, TTLS/PAP, fails to meet the zero trust standard.

PEAP-MSCHAPV2

Credentials are used by Active Directory. PeAP-MSCHAPv2 secures WPA2-Enterprise networks, but devices are vulnerable to credentials theft without server certification. PEAP has a better level of security, but there must still be user interaction. Organizations typically use Onboarding Software for PEAP configuration because misconfiguration is common when left to end-users. End-users need little input in this process.

EAP-TLS

Since EAP-TLS eliminates the risk of credential theft over the air, it is considered one of the most secure EAP protocols. Users can be verified by their certificates, rather than having to manually enter their login credentials, with the EAP-TLS protocol. Furthermore, it provides the best user experience by eliminating password-related disconnects from password-change policies. In contrast to other protocols, EAP-TLS is easier to configure and manage than certificate-based authentication. Implementing RADIUS as a zero trust solution is as important as the authentication protocol. In this section, we will compare the most popular RADIUS integrations.


 

businessman hand working with modern technology and digital layer effect as business strategy concept

 

Using a RADIUS server to authenticate Active Directory users over WiFi

MICROSOFT NPS

Institutions use NPS for 802.1x using Active Directory. In most cases, it is done using secure methods like PEAP-MSCHAPv2 or EAP-TLS because these methods use server certificates. Man-in-the-middle attacks can force users to send authentication information to the wrong RADIUS server. Client certificate validation will check the RADIUS server certificate on the device if authentication is enabled. It is possible for an outside actor to gain unauthorized access if password-only authentication is used without verifying the server certificate.

FREERADIUS AND OPENLDAP

FreeRADIUS gives administrators full control since RADIUS can be configured to perform any task they select. LDAP and OpenLDAP are similar in this regard as both are open-source implementations. FreeRADIUS and OpenLDAP must be implemented by the admins themselves. This change is relatively straightforward for an experienced member of the IT team, but do they have the time? Most IT administrators know how to configure open-source software, but are so busy supporting customers that they are unable to configure their environments. Additionally, getting end users onto new features is tough. RADIUS cloud solutions monitored by professionals 24/7 are the best practice.

CLOUD-BASED RADIUS

Customers are replacing their own RADIUS servers with a cloud-based RADIUS server. RADIUS solutions based in the cloud are simpler, cheaper, and more secure than on-premises RADIUS solutions. Cloud RADIUS servers are less than a third of the cost of an equivalent on-premises server, saving any organization thousands of dollars. There is no hardware to install. Managed servers relieve the IT department of time-consuming tasks. When there are no man-hours or training required for maintenance, the server is less likely to go down.

Cloud RADIUS can be implemented into virtually any environment because it works with all major SAML and LDAP identity providers, like Google, Okta, and Azure. Credentials cannot be sent over the internet because the application uses certificate-based authentication.

Cloud RADIUS integrates Azure and Intune to support certificate-based authentication for ultra-secure Wi-Fi and VPNs.

As part of IronWifi's Managed Cloud PKI, digital certificate authentication is used. As a result, security and user experience are enhanced. The use of our PKI allows administrators to deploy WPA2-Enterprise with 802.1x authentication, the gold standard in wireless security. Configuration takes just an hour!



A guide to configuring MFA for Wi-Fi authentication

Business woman using tablet with financial, cloud connectivity concept

HOW DO I SET UP MFA WITH ACTIVE DIRECTORY?

Especially with Windows machines, it isn't easy to seamlessly integrate multi-factor authentication into IT resources with Active Directory. You must have an Active Directory instance as your IdP to enable MFA. You will need an additional application to add those capabilities to AD and your individual infrastructure. Authentication works on Windows systems by enabling multifactor authentication. Since Windows is essentially the gateway into a domain, forcing MFA would add an extra step. You need an AD add-on to do this since AD does not offer it natively.


DOES AZURE AD SUPPORT MFA?

Currently, Azure's MFA is only available for certain web apps, so it cannot be used for managing all Windows machines, on-premises apps, or file servers. 

CONFIGURING CERTIFICATES WITH MFA

We get questions about MFA for Wi-Fi frequently since 802.1x doesn't support it. MFA cannot be implemented with RADIUS servers. Should MFA become an option in the future, it will be hard to justify its use for that purpose. It would take a lot of time for users, and the costs would be high. Whenever a user connects to the network, they would have to enter multiple levels of authentication, which could lead to them browsing on insecure networks.

Wi-Fi authentication is highly recommended with certificates. With RADIUS authentication, you can configure your devices in minutes, and users can connect to your network without ever entering credentials. Certificate enrollment could include multi-factor authentication.



BOOK A DEMO



Authentication for Wi-Fi using Windows certificates

Conceptual digital image of lock on circuit background

SHOULD I USE ACTIVE DIRECTORY CERTIFICATE SERVICES?

By using AD CS and an on-premise PKI to fully integrate their AD, they add more work to their IT department and use sub-par authentication protocols. For more work and expense, on-prem PKI offers less security and capabilities.

As well as being expensive, on-premise PKIs require so many components, each with a different price tag. Hardware and software implementation, maintenance fees, license fees, data backup, and disaster recovery cost companies a lot of money. Enterprises are not always aware of these hidden expenses.

Implementing on-premise PKIs would take months, even without staffing. In order to deploy an on-premise PKI, a company needs cryptography and server experts. There is an increased risk of employee burnout and training requirements. It is costly to recruit. On-premise PKIs do not make sense.

PKI SERVICES BASED IN THE CLOUD

Microsoft environments benefit from managed PKIs since they don't require lengthy implementation and are far less costly than on-premise solutions. Cloud computing frees IT departments of a significant amount of work and saves enterprises hundreds of thousands of dollars. In addition, managed PKIs reduce labor costs because enterprises only need to hire one part-time employee to manage PKIs, instead of an expensive team of experts.



Azure Cloud migration from Active Directory

In spite of AD's dominance in online directories, cloud-based solutions have made AD's on-premise infrastructure a hindrance for organizations considering cloud migration. Cloud RADIUS authenticates and authorizes each user using their certificates as part of IronWifi's cloud service.

When users authenticate for network access, admins can enforce network policies in real-time. A user's status, the groups they belong to, and the departments they work in are checked by RADIUS Cloud's easy-to-manage management system. Without any of the risks associated with LDAP authentication.

Your secure network can be set up within hours, and any questions you may have can be answered by IronWifi. 

 

SCHEDULE A CALL


logo-ironwifi-474

 

Similar posts

Subscribe