Microsoft Entra is Microsoft’s identity and access management (IAM) platform. It acts as an authentication and authorization backend for applications, services, and resources. Entra serves as the central system to authenticate users and manage access across cloud and on-premises environments. It ensures that only authorized identities can access applications, APIs, and services, while supporting modern security practices like conditional access and multi-factor authentication (MFA).
Many companies are actively migrating from their existing on-site Active Directory backend onto Azure. This transition means that also their Wi-Fi and enterprise network authentication needs to support Entra ID authentication.
For some companies it comes as a surprise that Entra is not LDAP-based. This is likely due to the previous naming “Azure Active Directory”, as the on-premises version of Active Directory is an LDAP backend. Entra, however, is not LDAP-based and the integration options differ from on-site Active Directory deployments.
Entra and RADIUS authentication
There are numerous articles online about RADIUS authentication with Entra users, but they all mention Microsoft NPS as a mandatory intermediary piece, or as the entire RADIUS server solution – this is not the case.
Radiator Policy Server, our latest enterprise product, supports Entra ID authentication and authorisation out of the box, utilizing Microsoft Graph API for the authentication flow. This allows users to authenticate to Wi-Fi utilising their Entra credentials.
With Radiator Policy Server, you can also directly connect the Wi-Fi authentication to Microsoft Authenticator’s 2FA pop-up, something that other solutions require Microsoft NPS plugins for.
Authorisation based on Entra groups
Some companies may prefer not to utilise the Entra credentials for Wi-Fi authentication, but would still want to use the Entra groups for authorisation decisions such as VLAN allocation. With Radiator Policy Server, it is possible to use certificate-based authentication (EAP-TLS) for authentication and do a group check from Entra for the authorisation decision.
This method allows companies to utilise pre-provisioned Wi-Fi profiles for the deployment and removes the need for credentials, while also allowing the usage of existing Entra groups. While this illustration does not show the 2FA pop-up, it is also possible to add it into this system if preferred.
Want to know more?
In case you are planning a migration from on-site Active Directory or if you are looking for an Entra ID authentication solution capable of 2FA, Radiator is the product for you.
For any questions regarding Entra deployments or any other AAA server related matters, please do not hesitate to contact sales@radiatorsoftware.com for more information.