Passwordless Azure AD Wi-Fi Security Architecture

Yes, definitely. If you already have an identity management service in place, using SecureW2’s Cloud PKI and Cloud RADIUS doesn’t require you to create separate identities. We have tight integration with Azure Active Directory and can work hand in hand with it. Once you create/delete identities in Azure AD you can leave the rest to us. We can manage your wireless network authentication and do an additional RADIUS lookup as well.

Certificate distribution to all the clients available in your entire network infrastructure could be a daunting task. If you have a Mobile Device Management solution (MDM) like Intune, Simple Certificate Enrollment Protocol (SCEP) settings can be pushed to devices that enable them to talk to a PKI autonomously, enabling a zero-touch method for certificate enrollment and renewal. SecureW2 is a an official CA partner of Intune enabling a further secured version of SCEP enrollment with an API lookup that can validate things such as Device Compliance.

For BYODs we provide a dissolvable module, JoinNow MultiOS, that enables end users to self-service their device. It automatically enrolls certificates and configures the Wi-Fi settings for devices, drastically reducing the complexity of enterprise Wi-Fi security.

SCEP works by providing a URL and key to devices; anyone who can gain access to these enrolls for a client certificate. As user identity is not validated it is easy for anyone to impersonate and move to a higher privilege network. To alleviate this issue SecureW2 has partnered with Microsoft to be an Intune CA partner. SecureW2 validates the users using the Graph API directly and then processes any SCEP enrollment requests.

For a managed device the client certificate and Wi-Fi policy get pushed through Managed Device Management (MDMs) solutions like Intune.

For BYODs, we have a dissolvable onboarding module JoinNow MultiOS that allows your end users to self-service themselves for certificates, and simultaneously have their device configured for 802.1x network security. It works by first asking the user to authenticate themselves with any IDP, like Azure Active Directory. Once the user has entered in their Azure credentials, MultiOS will deploy certificates to their device. It also allows you to map user attributes from Azure Active Directory, so you can create automated conditional access policies for certificate enrollment and network security.

User and device information like UserName or Azure AD Device ID can be mapped directly into the certificate template in a PKI like SecureW2. The data that is inputted into the certificate, can then be used for creating access and authorization policies. For example, some organizations use Intune Device Compliance to determine whether a device should be put in a quarantine VLAN.

Integrating Cloud RADIUS with Azure requires creating an App Registration in Azure. After that, the Tenant and Client ID needs to be shared to SecureW2, along with the client secret. Lastly, API Permissions need to be configured so that CloudRADIUS can read user and device data from Azure, so it can determine access and authorization levels with real-time data.

Reusing the same Azure AD credentials for your Wi-Fi security is not recommended as these could be easily stolen or shared among people, depriving you of the knowledge of who is accessing your network. Hackers could easily use these credentials as a pivoting point for carrying out more serious damage to your network.

SecureW2’s Cloud RADIUS solution alleviates this problem efficiently with the power of digital certificates. It quickly turns your Wi-Fi network into an EAP-TLS framework, transitioning your entire network into a passwordless secure environment. We’ve worked closely with partners like Microsoft, Okta, Google, and Jamf so that our JoinNow Connector PKI’s Certificate Lifecycle Automation is an extension of your Identity, ensuring that only valid and trusted devices are on the network and segmented accordingly.