Use Microsoft Entra ID

These instructions walk you through how to configure the Microsoft Entra ID integration allowing you to authenticate user accounts based on the information stored and managed there.

Local user accounts take precedence over Microsoft Entra ID accounts, meaning if you have an account in both for bob@example.com, the Microsoft Entra ID entry will be ignored.

Preflight (Checklist)

Application Exception for MFA

Counterintuitively, you must setup Microsoft Entra ID to skip multifactor authentication for authentication made through from the ‘RADNAC Microsoft Entra ID’ application (this application was created using the deployment).

This is because the default Microsoft Entra ID method for completely an MFA flow uses your web browser which is incompatible with how your RADIUS backed wireless service needs to function. The issue is to use a web browser a working network connection is required but until you complete the authentication you have no network access. So the solution here is to disable the default Microsoft Entra ID method for MFA.

Later you may enable push notification based MFA for user connections using a different mechanism that is compatible.

The first step is to setup Microsoft Entra ID to skip multifactor authentication for requests from the ‘RADNAC Microsoft Entra ID’ application in one of two ways:

Conditional Access

This process describes moving from security defaults to Conditional Access.

Complete the following steps, though if you are already using and familiar with Conditional Access policies you may want to derive your own bespoke instructions for your own environment based upon the steps below:

  1. Go to the Microsoft Entra admin center

  2. From the left sidebar, navigate through Entra ID  Overview  Properties (tab)

  3. At the bottom of the page, under ‘Security defaults’, jump to the step below that matches the status of this setting and continue through all of the remaining steps of the list:

    Your organization is not protected by security defaults

    Click on ‘Managed security defaults’ and enable it; before doing this you should review the impact of forcing all your users to register for multifactor authentication

    Your organization is protected by security defaults

    To enabled Conditional Access click on ‘Managed security defaults’ and disable it but you must supply the reason of that ‘My organization is planning to use Conditional Access’ and then check the box to convert the default security policy into a set of Conditional Access policies.

    Your organization is currently using Conditional Access policies which prevents you from enabling security defaults

    This is state in which you want to get your Entra ID security state to be.

  4. From the left sidebar, navigate through Entra ID  Conditional Access  Policies (inner left bar).

    If you cannot find ‘Conditional Access’ you do not have the prerequisite Microsoft Entra ID P1 (or higher) license.
  5. If you do not already have a bespoke policy (ie. without the ‘MICROSOFT-MANAGED’ labeling) you will need to duplicate (three dots to the right of it) at least the ‘Multifactor authentication for all users’ policy and depending if administrator accounts will be authenticated by the service then also ‘Require multifactor authentication for admins’ too.

  6. Edit the policy and amend the ‘Target resources’ by going to ‘Exclude’, pick ‘Select resources’ and then click on ‘Select’ and add ‘RADNAC Microsoft Entra ID’ to the exclusion list.

  7. Enable the policy (at the bottom of the page) by selecting ‘On’, apply it to also your account and select ‘Create’.

  8. If you duplicated any ‘MICROSOFT-MANAGED’ policies, you will need to disable them by clicking on the three dots to the right, then ‘Edit’ and marking it as ‘Off’.

Trusted IP

Complete the following steps:

  1. Go to the Microsoft Entra admin center.

  2. From the left sidebar, navigate through Entra ID  Users  All Users  Per-user MFA (tab).

  3. Click on the ‘Service settings’ tab

  4. Under ‘Trusted IPs’, into the multiline text box labeled ‘Skip multifactor authentication for requests from following range of IP address subnets’ copy into it the contents of the ‘serviceIPv4’ and `serviceIPv6’ address found from the managed application page under the right Settings  Parameters and Outputs and listed at the bottom, under the ‘Outputs’.

    You must enter these in as CIDR’s, so for IPv4 addresses append with /32 (for example 192.0.2.1 would become 192.0.2.1/32) and for IPv6 addresses append /128.
  5. Click on the Save button at the bottom of the page

Steps

From the web user interface, click on the Entra tab and make sure you have selected the inner ‘Configuration’ tab.

There are two policies that user accounts are able to authentication for:

Network Access

Used to provide networking and Internet access to workstations and phones connecting using for example a wireless network.

Device Access

May be used if you want to use the service to secure access to your networking equipment such as switches and other management interfaces.

This is not the same as workstations and phones connecting to a wireless (or wired) network, if in doubt, leave this ‘Not used’ and enable ‘Network Access’ instead.

There are three settings for each:

Not used

Microsoft Entra ID will not be used to authenticate users.

Only (opens a dropdown to select a Microsoft Entra ID group)

Only users that are members of the selected group will be authenticated using Microsoft Entra ID.

You may use a dynamic group.
Except (opens a dropdown to select a Microsoft Entra ID group)

Members of the selected group will be excluded from authenticating with Microsoft Entra ID.

Use an empty group for a “exclude no users” which makes all accounts in scope for authentication with Microsoft Entra ID.

Initially it is recommended you start off by setting:

  • Network Access: ‘Except’ pointing to a group with no members

    • Alternatively use ‘Only’, starting with a group with no members and onboard each user into the group during your testing or migration process

  • Device Access: ‘Not used’

Click the Update button at the bottom of this page to activate your settings.

Realms

Now that policies have been applied to allow users to authentication against Microsoft Entra ID, we now need to configure how they authenticate.

To do this you need to navigate the web user interface and click on the Realms tab at the top.

Here you will need to configure the realm(s) you wish to use for EAP-TTLS/PAP authentication before users will be able to authentication.

Once configured, users must log in using the username format ‘<username>@<domain>’, often this matches their email address.

As an example, ‘bob’ in a domain ‘example.com’ would log in with the username bob@example.com.

bob’ (‘NULL’ realm) and ‘bob@example.com’ (‘example.com’ realm) are treated as different accounts.