Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Does LDAP work with Entra ID? Yes and No

Key Points
  • The LDAP protocol is not compatible with cloud-based directories such as Entra ID and only works with legacy, on-premise Active Directory environments.
  • You can only use LDAP with Entra ID by setting up Microsoft Entra Domain Services (AD DS) using a complex Microsoft Entra Connect tool, which lacks security features and relies on outdated protocols such as PEAP-MSCHAPv2.
  • You can eliminate all these drawbacks by using our Cloud RADIUS, which uses OAuth to communicate with Entra ID and lookup user/device attributes to enforce policies that authorize network access.

To make a long story short: Microsoft offers the ability to sync Azure AD (Microsoft Entra ID) with an LDAP server, which can suffice as a short-term solution. This means your Azure AD would be duplicated to an on-prem LDAP that can continue working with your existing environment. However, organizations that rely on LDAP today should really move towards SAML and OAuth-based certificate authentication as a long-term solution. It eliminates the need for an extra on-prem server (which has been constantly exposed to zero-day attacks in recent years) and allows you to set up a direct connection with applications like Wi-Fi and VPN to Azure AD.

Here’s a quote from Microsoft themselves on the matter: “For Wi-Fi and VPN connections, Microsoft recommends moving from MSCHAPv2-based connections to certificate-based authentication such as EAP-TLS.”

Simplifying Passwordless Authentication for Azure AD (Microsoft Entra ID)

So, how would this look when using Azure AD for network authentication? It’s actually quite simple, as you can easily enable passwordless wireless security without needing LDAP at all. All you need to do is connect your Azure Cloud (Azure AD + Intune) with SecureW2’s PKI and Cloud RADIUS to enable network security. We’ve provided a high-level diagram showing how the process works in two phases: one-time enrollment and runtime.

Phase 1 begins with connecting your MDM/device management platform with our PKI services. The first step in Phase 1 involves configuring your MDM to verify the end user’s credentials in Azure AD(or any other cloud identity) before they are administered a certificate.

Next, you can create an API and Certificate Authority and configure profiles that allow every managed device to enroll themselves for certificates. After the certificate is enrolled, a network profile can be sent to the device enabling it to use its new certificate for network authentication.

Now that our devices are configured for certificate-based authentication (without the need for LDAP), we can use Cloud RADIUS to authenticate the user in Azure AD (or any major Cloud IDP for that matter) and authorize access at the time of authentication. You can learn how one of our customers switched from their pre-shared password system to passwordless authentication to enable 802.1x with their Azure AD environment.

Want more details about why LDAP with Azure isn’t a long-term solution, and why you should implement certificate-based authentication instead? Keep reading.

LDAP Doesn’t Work in the Cloud

Simply put, the architecture of cloud-based directories was not built to accommodate LDAP (Lightweight Directory Access Protocol) and LDAP is too old to be compatible with most cloud-based systems.

There’s no single point of failure that makes LDAP untenable, it is technically possible, but just about every aspect of LDAP has been improved upon and replaced by more modern protocols. The reason LDAP is still around is that it’s so integral to legacy, on-premises Active Domain environments that are still ubiquitous.

LDAP Is Not Compatible with Azure AD

Straight from the source – Microsoft says that Azure AD does not support LDAP. They offer an alternative solution: set up an Azure AD Domain Services (Azure AD DS) instance and configure some security groups with Azure Networking, then connect LDAP to that.

Using LDAP with Azure AD DS is the only method to connect LDAP to Azure and it’s a tenuous one at best. It does not allow for full utilization of LDAP or Azure features, so it’s really just a bandaid for organizations too stubborn to rework their network infrastructure.

Furthermore, LDAP isn’t secure by today’s standards. The traffic it sends is unencrypted by default, though “Secure LDAP” also exists and uses SSL/TLS. Using an inherently insecure protocol reduces the overall security of your network down to the level of that weakest link.

LDAP relies on PEAP-MSCHAPv2 as its end user authentication protocol, which has several known vulnerabilities. One is that the MSCHAPv2 Hash has been cracked for some time now, allowing hackers to decipher credentials used for network authentication. The second is that it’s incredibly easy for end users to misconfigure their devices network authentication settings, putting themselves at high risk for over-the-air credential theft.

Instead, most organizations today are switching to the EAP-TLS protocol, which replaces credentials with X.509 digital certificates, eliminating the risk of over-the-air credential theft and MITM attacks. In an era where digital certificates are the uncontested frontrunners of secure network authentication, using an antiquated protocol like LDAP is just asking for trouble.

 

Cloud-Based LDAP Alternatives

There’s little reason to keep LDAP around; even organizations that have (or want) to maintain on-premise network infrastructure have better options more suited to modern-day cloud architecture.

Azure AD Connect

Azure AD isn’t a 1:1 replacement for LDAP, but it’s pretty close. It serves as a connector between Azure and Active Directory Federation Services (AD FS). You’ll note that AD FS isn’t the same thing as AD, so it’s not a direct connection to AD, but many AD environments use AD FS anyway.

Azure AD Connect is more than just a federation integration, however. It has other identity management features like user, group, and device synchronization and a convenient pass-through authentication sign-in method that can simplify federated environments.

It’s a good alternative to LDAP because it accomplishes the same primary functions while bridging the gap between cloud and on-premise networks with modern security standards.

SSO Protocols

SAML, OAuth, and OpenID are the most popular Single Sign-On protocols. Comparing them to LDAP is a little bit of an “apples to oranges” comparison, but in the context of an Azure environment, they would be performing similar functions: connecting the user directory to external applications for user authentication.

One potential use case for SSO protocols is to use SAML to issue digital certificates to users, allowing them to self-enroll with their old AD credentials. SAML can be used with Azure AD to authenticate via any cloud RADIUS server.

Given that these protocols were designed to interface with internal identity providers and external web services, it goes without saying that security is a primary consideration. SSO has proven both secure and convenient enough to warrant industry-wide adoption, so it’s likely your organization would benefit from its inclusion.

Dynamic Policy Enforcement for Azure AD

SecureW2 has also developed a solution to fill the hole left by LDAP. Our Cloud RADIUS servers come equipped with the new Dynamic Policy Engine that enables it to perform runtime-level policy decisions like dynamic VLAN segmentation. Using OAuth, it communicates with Azure AD in real-time.

Much like the well-loved user lookup function of LDAP, SecureW2’s Cloud RADIUS can lookup user attributes stored in the directory and use them to implement group policy and user segmentation at the moment of authentication. Our RADIUS comes with a fully-featured Cloud PKI that enables the superior certificate-based authentication, enhancing both security and user experience.

Perhaps the best aspect of our solution is that it is totally vendor-neutral and able to be integrated into any network infrastructure. SecureW2 can utilize your on-prem components or replace them with managed cloud equivalents to suit your organization’s needs. Our robust, single-pane management suite will give you full control over every aspect of your network – local and cloud.

We have affordable options for organization of every size. Click here to see our pricing.

 

Tags: azure
Learn about this author

Patrick Grubbs

Patrick is an experienced SEO specialist at SecureW2 who also enjoys running, hiking, and reading. With a degree in Biology from College of William & Mary, he got his start in digital content by writing about his ever-expanding collection of succulents and cacti.

Does LDAP work with Entra ID? Yes and No