Forum Discussion
WiFi WPA2 Enterprise seamless sign-on
- Mar 11, 2019
Forgot to update this.
Short answer: If the computer is only joined to Azure AD, WPA2 Enterprise seamless authentication is not possible.
As of now (March 2019) it is not possible to have seamless (users are not prompted for authentication) WPA2 Enterprise authentication when the computers (Windows 10) are not joined to an on-premise AD (only joined to Azure AD). This is because winlogon credentials contains a cloud user which will not be allowed to authenticate automatically on RADIUS (radius is using the on-premise AD).
Forgot to update this.
Short answer: If the computer is only joined to Azure AD, WPA2 Enterprise seamless authentication is not possible.
As of now (March 2019) it is not possible to have seamless (users are not prompted for authentication) WPA2 Enterprise authentication when the computers (Windows 10) are not joined to an on-premise AD (only joined to Azure AD). This is because winlogon credentials contains a cloud user which will not be allowed to authenticate automatically on RADIUS (radius is using the on-premise AD).
rajeshkhanikarBut what about doing device level authentication? I presume the device will be able to enrol via NDES for a certificate and then authenticate via 802.1x at a machine level.
- Ben NicholsJun 11, 2019Copper Contributor
I have made this work. CA + NDES with Intune SCEP enrolment policy to issue user certificates. Intune WiFi profile for EAP-TLS authentication and finally a FreeRadius Linux RADIUS server to do the authenitcation. This is seamless. You cant use NPS as the RADIUS server, as that always attempt to authenticate to AD (requiring domain join or a nasty manual certificate mapping setup). FreeRadius can be configured to just validate the client certificate only.
- rajeshkhanikarJun 12, 2019Brass Contributor
Ben Nichols Yes, certificate based authentication is an option. In our case requirement was to use only Azure AD, without any on-premise servers (no federated AD) or VMs on cloud. Using only Azure AD, cloud only users, currently it is not possible.
- Ben NicholsJun 12, 2019Copper Contributor
rajeshkhanikarThat sounds about right. I have achieved it with no on-prem servers, and just 3 small Azure VMs (CA, NDES and RADIUS servers) using EAP-TLS.
You might possibly be able to also achieve it using Azure Directory Services (to give you a LDAP endpoint) and one RADIUS server with EAP-TTLS with MSCHAPv2.
- RonThomasRareworldJul 07, 2020Copper Contributor
Hi Ben Nichols
Can you provide more insight on how you got this to work. I am struggling with radius WIFI auth + Intune.
- Ben NicholsJul 07, 2020Copper Contributor
RonThomasRareworld My current favoured solution is now to use SCEPman https://scepman.com/ for certificate enrolment. This does the roles of a CA, NDES and OCSP server all in a single Azure App Service + Key Vault. Its a very very neat solution and there is a free version available. Use this to distribute certificates to devices (Android, iOS, macOS included) via Intune.
Then create one or more small linux VMs to run freeradius. I configure this to accept only EAP authentication, and do certificate validation via calling openssl to verify the cert against the SECPman root:
client = "/usr/bin/openssl verify -CAfile /etc/freeradius/certs/root.cer -untrusted /etc/freeradius/certs/sub01.cer %{TLS-Client-Cert-Filename}"
- phil_reesSep 30, 2020Copper Contributor