It’s no secret that organizations are making the transition to cloud-based network environments. This is especially true considering the dramatic increase in remote work due to the global pandemic. Network administrators that use Active Directory (AD) want to be able to manage their remote workers, but struggle with the transition to the cloud because Microsoft hasn’t made cloud technology a priority for the customers.
Microsoft created Azure AD (Microsoft Entra ID) to help clients with the move, but Azure is severely limited compared to AD when it comes to support for WPA2-Enterprise Wi-Fi. AD is an on-premise solution, and Microsoft doesn’t offer cloud PKI or Certificate Authority (CA) services. This lapse in usable infrastructure can force administrators into keeping expensive AD-domain hardware and wasting time and resources doing so.
If you wanna skip the reading and get started transitioning your network – go ahead and submit a contact form with details about your network and org. Otherwise, read on for some contextual info about AD and the cloud.
Can I Just Use Azure AD (Microsoft Entra ID)?
AD quickly became the quintessential device management solution shortly after its release in late 1999. The working world had already turned to Microsoft for 90% of their tech solutions, and while directory services weren’t a new idea, Microsoft’s monopoly in the tech world and their easy deliverability made them the sure-fire choice for most businesses.
IT administrators were able to deploy Windows devices to all their employees while still maintaining all the control they needed. IT continued to use AD almost exclusively for years, this manufactured an environment in which the pressure to choose systems and applications that could be controlled by AD was paramount.
Microsoft had its grasp on network management and had no incentive to support third-party solutions or even develop a good way to transition organizations to the cloud.
Eventually, they offered Azure AD, which was advertised essentially as the cloud version of AD. However, it quickly became clear that this was not the case. Implementing Azure AD has led to problems for Windows administrators, particularly in regards to network authentication.
This is due to Azure AD not natively supporting LDAP unless it is synced up with on-prem AD. This prevents users from seamlessly migrating to the cloud unless admins create new accounts for all their users and customize the access levels for each individual. This extra step is a massive headache for network administrators and end-users alike, which is certainly enough for some to avoid cloud-based network technology altogether.
What’s Wrong With Active Directory Security?
Using credentials has been the standard for authenticating users onto networks for some time, but with cyber criminals becoming more sophisticated, the flaws of passwords have become much too apparent to ignore any longer.
Passwords can be shared, forgotten, and stolen through social engineering, which inherently makes them a weak form of security. This is especially important to consider as a successful cyber attack has the potential to bankrupt a business.
To make matters worse, both Azure and AD networks authenticate users with PEAP-MSCHAPv2, which contains a significant vulnerability in it’s encryption that can allow a hacker to gain access to user login information in plain text.
The alternative? Digital Certificates!
Digital certificates provide a better security standard because they themselves are encrypted entities that can be individually issued to every verified user. They are used as the identifier, which eliminates the need for passwords altogether.
To take advantage of certificates, the best protocol to use would be EAP-TLS, which is undoubtedly the most secure. With EAP-TLS, both the client and server are equipped with certificates and can verify each other with certificates. Authenticating users based on certificates eliminates over-the-air credential theft and ensures that only verified users will be granted network access.
Certificates also allow admins to map user attributes to certificates based on the user’s standing in the organization. This creates an even stronger level of security as different members of the organization will only have access to the things they need to access.
How Can I Use Certificates With AD?
Many organizations think that because AD has a tight grasp on the online directory market, a cloud-based solution for AD’s on-prem infrastructure isn’t possible. Luckily, if you use Microsoft Azure as your SAML provider you can easily set up a certificate backed-WPA2-Enterprise network fully equipped with CloudRADIUS using SecureW2.
Many admins have avoided switching to certificate-based authentication because they believe certificates are too difficult to configure and distribute to each device in their directory. But this is only the case if you are manually configuring your devices.
Azure customers who deploy certificates with SecureW2 are able to use simple onboarding software for BYODs and gateway APIs for their managed devices. SecureW2 offers an easy-to-use PKI that easily integrates with Azure for use as an IDP.
You’ll have no infrastructure costs because SecureW2 works exclusively in the cloud, can be set up in a few hours, and costs a fraction of the price of on-prem PKIs. Our #1 rated JoinNow onboarding software requires no technical expertise and can be completed easily by end-users, reducing IT overhead and costs even further.
CloudRADIUS is the only RADIUS Server that comes with an industry-exclusive Dynamic Policy Engine that integrates natively with Azure and Intune, which can enforce network policies in real-time. CloudRADIUS automatically checks user status, what groups they’re in, if they’ve changed departments, and ties them to custom network policies created by administrators in our easy to use management system. All the benefits of historic LDAP authentication, with none of the risks associated with credential-based authentication.
With SecureW2 you can have your secure network set up in a matter of hours and have a support team ready to assist you with any of your questions. We’ll even set you up with a free demo so you can try it out for yourself. Try it today!