Use Microsoft Entra ID
These instructions walk you through how to configure the Microsoft Entra ID integration allowing you to authenticate user accounts based on the information stored and managed there.
Local user accounts take precedence over Microsoft Entra ID accounts, meaning if you have an account in both for bob@example.com, the Microsoft Entra ID entry will be ignored.
|
| Due to limitations of Azure, changes may take up to 24 hours to settle in and take effect. |
Preflight (Checklist)
-
An installation of RADNAC
-
Follow the Quickstart: Getting started with RADNAC if you do not
-
-
Recommended to have a Microsoft Entra ID P1 (or higher) license
-
Also included with some Microsoft 365 subscriptions
-
License free alternative requires trusting the service public IP addresses
-
Microsoft explicitly list that to use ‘Trusted IP’ you require a Microsoft Entra ID P1 (or higher) license, whilst working for now without, it could stop working at any time.
-
A limitation of this approach is it requires you assign IPv4 public addresses to the RADNAC service.
-
-
-
Command line tools, either with Azure CLI or Azure PowerShell
For those unfamiliar with the command line, you can use Azure Cloud Shell which provides all the tooling required from within your browser and without the need to install anything on your workstation. -
Your user account has access to create an Enterprise Application as well as assign to it Microsoft Graph API roles.
-
Usually this means the role of ‘Global Administrator’ though your IT team may be able to determine a more restrictive combination of roles.
-
This level of access is only required to configure the integration, after which it can be revoked.
-
Command Line Tools
Login with your tool by running the following:
- Azure CLI
az login- Azure PowerShell
if ((Get-ExecutionPolicy) -ne 'Unrestricted') { `
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser `
}
if (!(Get-Module -ListAvailable -Name Az)) { `
Install-Module Az `
-Repository PSGallery `
-Scope CurrentUser `
-Force `
}
Connect-AzAccount -UseDeviceAuthentication| You should be able to use your clipboard to copy and paste this command into it. |
Azure Cloud Shell
To get started with Azure Cloud Shell, get started by:
-
Click on the command prompt icon (a square box surrounding a ‘>_’) in the top right
-
Select either ‘Bash’ (recommended) or ‘PowerShell’
-
Select ‘No storage account required’ and choose the subscription you are working in
-
Leave unchecked the option to ‘Use an existing private virtual network’</li>
-
Click on the Apply button
| You must run the login commands above even though it may seem unnecessary. This is because your Cloud Shell session does not initially start with access to Microsoft Graph which is needed to create an integration between RADNAC and Microsoft Entra ID. |
Steps
Start by going to the managed application page, browse on the menu to the left through and then check ‘Configuration’ and click on the Edit button at the top.
Setup
Use the parameter values provided from RADNAC listed here and then run the command provided below whilst substituting the all in capitals placeholders with the parameter values:
-
SUBSCRIPTION_ID -
LOCATION -
MANAGED_APPLICATION_RID
az deployment sub create \
--subscription SUBSCRIPTION_ID \
--location LOCATION \
--template-uri https://www.radnac.com/azuredeploy/msentraid-enrolment.json \
--parameters managedApplicationResourceId=MANAGED_APPLICATION_RID \
--query properties.outputsSet-AzContext `
-Subscription SUBSCRIPTION_ID
New-AzSubscriptionDeployment `
-Location LOCATION `
-TemplateUri https://www.radnac.com/azuredeploy/msentraid-enrolment.json `
-managedApplicationResourceId MANAGED_APPLICATION_RIDThis process has now created a Registered Application named after your managed application that you will need in later steps.
Application Exception for MFA
We now setup Microsoft Entra ID to skip multifactor authentication for requests from the RADNAC application in one of two ways:
-
If using a Microsoft Entra ID P1 or higher license, you should follow the ‘Conditional Access’ section (recommended)
-
Otherwise follow the ‘Trusted IP’ section
| For tenants of Microsoft Entra ID that use MFA, only a web based flow is supported which is incompatible with how your RADIUS (including your wireless service) needs to function. This is because to use a web browser you require a working network connection, but until you complete the authentication you have no network access. This is why we disable MFA for RADNAC when it authenticates users, but you may later enable push notification based MFA. |
Conditional Access
This process describes moving from security defaults to Conditional Access.
Complete the following steps, though if you are already using and familiar with Conditional Access policies you may want to derive your own bespoke instructions for your own environment based upon the steps below:
-
Go to the Microsoft Entra admin center
-
From the left sidebar, navigate through
-
At the bottom of the page, under ‘Security defaults’, jump to the step below that matches the status of this setting and continue through all of the remaining steps of the list:
- Your organization is not protected by security defaults
-
Click on ‘Managed security defaults’ and enable it; before doing this you should review the impact of forcing all your users to register for multifactor authentication
- Your organization is protected by security defaults
-
To enabled Conditional Access click on ‘Managed security defaults’ and disable it but you must supply the reason of that ‘My organization is planning to use Conditional Access’ and then check the box to convert the default security policy into a set of Conditional Access policies.
- Your organization is currently using Conditional Access policies which prevents you from enabling security defaults
-
This is state in which you want to get your Entra ID security state to be.
-
From the left sidebar, navigate through .
-
If you do not already have a bespoke policy (ie. without the ‘MICROSOFT-MANAGED’ labeling) you will need to duplicate (three dots to the right of it) at least the ‘Multifactor authentication for all users’ policy and depending if administrator accounts will be authenticated by the service then also ‘Require multifactor authentication for admins’ too.
-
Edit the policy and amend the ‘Target resources’ by going to ‘Exclude’, pick ‘Select resources’ and then click on ‘Select’ and add ‘RADNAC’ to the exclusion list.
-
Enable the policy (at the bottom of the page) by selecting ‘On’, apply it to also your account and select ‘Create’.
-
If you duplicated any ‘MICROSOFT-MANAGED’ policies, you will need to disable them by clicking on the three dots to the right, then ‘Edit’ and marking it as ‘Off’.
Trusted IP
Complete the following steps:
-
Go to the Microsoft Entra admin center.
-
From the left sidebar, navigate through .
-
Click on the ‘Service settings’ tab
-
Under ‘Trusted IPs’, into the multiline text box labeled ‘Skip multifactor authentication for requests from following range of IP address subnets’ copy into it the contents of the ‘Service CIDRs’ textbox in the RADNAC UI
-
Click on the Save button at the bottom of the page
Application
You may now click the Next button at the bottom of this page to continue from the ‘Setup’ to the ‘Application’ step.
From here you are provided with a drop down box to select the application created by running the command line tooling above.
Find the application called ‘radnac’ (subtitle of ‘RADNAC’ all in capitals) and select in from the drop down.
Click the Next button at the bottom of this page to continue.
Policy
Here you configure the policy of which Microsoft Entra ID user accounts are able to authentication for:
- Network Access
-
Used to provide networking and Internet access to workstations and phones connecting using for example a wireless network.
- Device Access
-
May be used if you want to use the service to secure access to your networking equipment such as switches and other management interfaces.
This is not the same as workstations and phones connecting to a wireless network, if in doubt, leave this ‘Not used’ and enable ‘Network Access’ instead.
There are three settings for each:
- Not used
-
Microsoft Entra ID will not be used to authenticate users.
- Only (opens a dropdown to select a Microsoft Entra ID group)
-
Only users that are members of the selected group will be authenticated using Microsoft Entra ID.
You may use a dynamic group. - Except (opens a dropdown to select a Microsoft Entra ID group)
-
Members of the selected group will be excluded from authenticating with Microsoft Entra ID.
Use an empty group to set all accounts to be in scope for authentication with Microsoft Entra ID.
Initially it is recommended you start off by setting:
-
Network Access: ‘Except’ pointing to a group with no members
-
Alternatively use ‘Only’, starting with a group with no members and onboard each user into the group during your testing or migration process
-
-
Device Access: ‘Not used’
Click the Next button at the bottom of this page to continue.
Realms
When you navigate to the section of the managed application, you should see your Microsoft Entra ID domains listed.
You need to configure the relevant realms for EAP-TTLS/PAP authentication before users will be able to authentication.
Once configured, users will then log in using the username of ‘<username>@<domain>’, usually this matches their email address.
As an example, ‘bob’ in a domain ‘example.com’ would log in with the username bob@example.com.
‘bob’ (‘NULL’ realm) and ‘bob@example.com’ (‘example.com’ realm) are treated as different accounts.
|