IT teams utilizing Azure® Active Directory® (Azure AD or AAD) may be wondering about its native capabilities beyond single sign-on (SSO) to select web applications and Azure infrastructure.
Though AAD can be useful in a number of cases, does it authenticate users to their networks via RADIUS? Read on to find out.
Does Azure AD Natively Offer RADIUS?
The short answer to whether AAD offers RADIUS is no, it doesn’t natively support this particular network authentication protocol. However, RADIUS keeps sensitive network information secure, and in a world where cybersecurity is an essential component to long-term organizational success, RADIUS is generally viewed as a required part of IT infrastructure.
Though AAD accomplishes quite a bit in relation to bridging AD credentials to web applications, it requires additional solutions to accomplish tasks like network authentication. Below, we’ve given a few options for admins considering RADIUS authentication for Azure AD.
Keep in mind, Microsoft doesn’t currently offer hosted NPS in Azure. IT admins looking to use AD credentials for RADIUS authentication will have to look beyond an NPS option and consider something like a hosted FreeRADIUS instance or manually run their own instance of NPS in Azure. They’ll have to integrate the solutions together, but it is an option.
Azure AD + Active Directory
Azure AD was designed to complement Active Directory, so it omits key features that AD already provides, such as group policy objects (GPOs), system management, and LDAP support.
IT teams have the choice of implementing an on-prem NPS server that acts as the waypoint for RADIUS authentication, connecting to WiFi and VPNs that terminate on-prem. This approach may be appropriate for IT teams looking to keep the majority of their IT resources contained to the world of Microsoft and on-prem. However, it may not be ideal for most cloud-focused organizations looking to move beyond on-prem infrastructure.
Admins considering an AD + Azure AD hybrid environment must have budgetary allotments to make it happen. IT departments would be responsible for maintaining the on-prem NPS server, AD hardware, as well paying for the AAD and AD licensing.
The on-prem NPS server functions optimally with on-prem resources too, so it struggles to offer network authentication support for VPNs terminating in Azure, or for network equipment housed in a data center off-prem. Authenticating to these assets would require an additional VPN to connect those resources back to the on-prem NPS server.
Azure AD + FreeRADIUS
Admins interested in keeping their identity management tools cloud-based while still utilizing Azure AD’s SSO capabilities can implement and configure their own virtual FreeRADIUS server.
To do so, IT admins need to enable secure LDAP for a managed domain in Azure Active Directory Domain Services (AAD DS). It’s important to note that the LDAP traffic isn’t encrypted by default, so IT teams must manually secure these ports to avoid cybersecurity threats like brute force attacks.
Once LDAP authentication is enabled in AAD DS, admins must then create a VM to host FreeRADIUS in the same virtual network as Azure AD Domain Services. They then need to configure the secure LDAP in FreeRADIUS to use Azure AD DS as the ultimate source of authentication.
For some, this approach can be an ideal solution to cloud-based network authentication for Azure AD, though it is time-consuming and requires almost entirely manual implementation. In addition, this setup can leave room for devastating cyberattacks if not configured properly, potentially leading to irreparable damage to your organization.
To efficiently manage systems, users, groups, and policies in conjunction with applications and networks, configuring a FreeRADIUS server only addresses one piece of the authentication puzzle.
Azure AD + JumpCloud
The final option would be ideal for organizations looking for a solution to manage their disparate IT infrastructure entirely from the cloud. JumpCloud® Directory-as-a-Service® (DaaS) syncs with Azure AD credentials via its Office365 Integration, offering admins built-in cloud RADIUS to authenticate users to their networks from the cloud with little to no manual configuration.
In addition to network authentication, DaaS functions effectively as a directory service, providing admins with tools for event logging, cross-platform system management, multi-factor authentication, and Policies for effective IT infrastructure management.
Interested in moving your IT infrastructure entirely to the cloud? Feel free to reach out for a personalized demo to see our cloud-based network authentication in action.