Use Microsoft Entra ID
These instructions walk you through how to configure the Microsoft Entra ID integration allowing you to authenticate user accounts based on the information stored and managed there.
Local user accounts take precedence over Microsoft Entra ID accounts, meaning if you have an account in both for bob@example.com, the Microsoft Entra ID entry will be ignored.
|
Preflight (Checklist)
-
An installation of RADNAC
-
Follow the Quickstart: Getting started with RADNAC if you do not.
-
-
Recommended to have a Microsoft Entra ID P1 (or higher) license so you can use Conditional Access.
-
Included with some Microsoft 365 subscriptions.
-
License free alternatives are:
-
Trusting the service public IPv4 addresses though Microsoft explicitly list that to use ‘Trusted IP’ you require a Microsoft Entra ID P1 (or higher) license, which whilst working for now without may stop working at any time and with no warning.
-
Disable security defaults and generally disable MFA (not recommended).
-
-
Application Exception for MFA
Counterintuitively, you must setup Microsoft Entra ID to skip multifactor authentication for authentication made through from the ‘RADNAC Microsoft Entra ID’ application (this application was created using the deployment).
This is because the default Microsoft Entra ID method for completely an MFA flow uses your web browser which is incompatible with how your RADIUS backed wireless service needs to function. The issue is to use a web browser a working network connection is required but until you complete the authentication you have no network access. So the solution here is to disable the default Microsoft Entra ID method for MFA.
| Later you may enable push notification based MFA for user connections using a different mechanism that is compatible. |
The first step is to setup Microsoft Entra ID to skip multifactor authentication for requests from the ‘RADNAC Microsoft Entra ID’ application in one of two ways:
-
If using a Microsoft Entra ID P1 or higher license, you should follow the ‘Conditional Access’ section (recommended)
-
Otherwise follow the ‘Trusted IP’ section
Conditional Access
This process describes moving from security defaults to Conditional Access.
Complete the following steps, though if you are already using and familiar with Conditional Access policies you may want to derive your own bespoke instructions for your own environment based upon the steps below:
-
Go to the Microsoft Entra admin center
-
From the left sidebar, navigate through
-
At the bottom of the page, under ‘Security defaults’, jump to the step below that matches the status of this setting and continue through all of the remaining steps of the list:
- Your organization is not protected by security defaults
-
Click on ‘Managed security defaults’ and enable it; before doing this you should review the impact of forcing all your users to register for multifactor authentication
- Your organization is protected by security defaults
-
To enabled Conditional Access click on ‘Managed security defaults’ and disable it but you must supply the reason of that ‘My organization is planning to use Conditional Access’ and then check the box to convert the default security policy into a set of Conditional Access policies.
- Your organization is currently using Conditional Access policies which prevents you from enabling security defaults
-
This is state in which you want to get your Entra ID security state to be.
-
From the left sidebar, navigate through .
If you cannot find ‘Conditional Access’ you do not have the prerequisite Microsoft Entra ID P1 (or higher) license. -
If you do not already have a bespoke policy (ie. without the ‘MICROSOFT-MANAGED’ labeling) you will need to duplicate (three dots to the right of it) at least the ‘Multifactor authentication for all users’ policy and depending if administrator accounts will be authenticated by the service then also ‘Require multifactor authentication for admins’ too.
-
Edit the policy and amend the ‘Target resources’ by going to ‘Exclude’, pick ‘Select resources’ and then click on ‘Select’ and add ‘RADNAC Microsoft Entra ID’ to the exclusion list.
-
Enable the policy (at the bottom of the page) by selecting ‘On’, apply it to also your account and select ‘Create’.
-
If you duplicated any ‘MICROSOFT-MANAGED’ policies, you will need to disable them by clicking on the three dots to the right, then ‘Edit’ and marking it as ‘Off’.
Trusted IP
Complete the following steps:
-
Go to the Microsoft Entra admin center.
-
From the left sidebar, navigate through .
-
Click on the ‘Service settings’ tab
-
Under ‘Trusted IPs’, into the multiline text box labeled ‘Skip multifactor authentication for requests from following range of IP address subnets’ copy into it the contents of the ‘serviceIPv4’ and `serviceIPv6’ address found from the managed application page under the right and listed at the bottom, under the ‘Outputs’.
You must enter these in as CIDR’s, so for IPv4 addresses append with /32(for example192.0.2.1would become192.0.2.1/32) and for IPv6 addresses append/128. -
Click on the Save button at the bottom of the page
Steps
From the web user interface, click on the Entra tab and make sure you have selected the inner ‘Configuration’ tab.
There are two policies that user accounts are able to authentication for:
- Network Access
-
Used to provide networking and Internet access to workstations and phones connecting using for example a wireless network.
- Device Access
-
May be used if you want to use the service to secure access to your networking equipment such as switches and other management interfaces.
This is not the same as workstations and phones connecting to a wireless (or wired) network, if in doubt, leave this ‘Not used’ and enable ‘Network Access’ instead.
There are three settings for each:
- Not used
-
Microsoft Entra ID will not be used to authenticate users.
- Only (opens a dropdown to select a Microsoft Entra ID group)
-
Only users that are members of the selected group will be authenticated using Microsoft Entra ID.
You may use a dynamic group. - Except (opens a dropdown to select a Microsoft Entra ID group)
-
Members of the selected group will be excluded from authenticating with Microsoft Entra ID.
Use an empty group for a “exclude no users” which makes all accounts in scope for authentication with Microsoft Entra ID.
Initially it is recommended you start off by setting:
-
Network Access: ‘Except’ pointing to a group with no members
-
Alternatively use ‘Only’, starting with a group with no members and onboard each user into the group during your testing or migration process
-
-
Device Access: ‘Not used’
Click the Update button at the bottom of this page to activate your settings.
Realms
Now that policies have been applied to allow users to authentication against Microsoft Entra ID, we now need to configure how they authenticate.
To do this you need to navigate the web user interface and click on the Realms tab at the top.
Here you will need to configure the realm(s) you wish to use for EAP-TTLS/PAP authentication before users will be able to authentication.
Once configured, users must log in using the username format ‘<username>@<domain>’, often this matches their email address.
As an example, ‘bob’ in a domain ‘example.com’ would log in with the username bob@example.com.
‘bob’ (‘NULL’ realm) and ‘bob@example.com’ (‘example.com’ realm) are treated as different accounts.
|