I'm interested in knowing if anyone here has managed to get WiFi authentication working directly with Entra ID, especially since we have no on-prem Active Directory and everything is cloud-based. We're using FortiAPs managed through FortiGate. I'm hoping to allow users to connect to our office WiFi using their Entra ID credentials. Most resources suggest that a RADIUS server (either hosted or on-prem) is necessary for 802.1X authentication, which I'm looking to avoid. I'm aiming for a straightforward cloud-only solution that doesn't involve setting up or handling RADIUS or AD infrastructure. Has anyone accomplished this, or is it currently impossible without a RADIUS setup?
5 Answers
That's an interesting setup! What’s driving your need for this specific authentication method?
Depending on your user count, we've been using Keytos for a cloud CA and RADIUS server, which works pretty well. Do note though, RadSec is only supported from FortiOS 7.6 onwards. If you're on an older version, the RADIUS protocol may expose some unencrypted auth traffic over the internet. We're utilizing RadSec Proxy to ensure encryption from our Wi-Fi controller to the cloud RADIUS server. Setting up certificate-based authentication might look complex initially, but it’s manageable once you grasp the core concepts.
Check out the Fortinet configuration guide for captive portal authentication using SAML credentials. This requires users to connect first and be redirected to a browser to sign in, which isn't exactly 802.1X but might be useful depending on your setup. I'm guessing you want to avoid that and go straight through Entra ID during Wi-Fi connection, though.
One option is to use certificate authentication. There's a Cloud PKI available for about $2 per user, and it integrates well with Intune. It gives users a certificate, and you can validate it through the certificate chain. If you're considering BYOD, a captive portal might be the only alternative if you want to skip RADIUS. However, if you're looking for a proper long-term 802.1X solution, you'll likely need to work with RADIUS in some capacity, maybe something like Packetfence.
Thanks for the suggestion!
There is a GitHub project with an LDAP wrapper for Entra ID that I've tested before with FreeRADIUS. Alternatively, you can use AAD DS for LDAP, but that still involves FreeRADIUS. Another route is to consider a RADIUS as a Service provider. They often emphasize device authentication, usually with cloud PKI, but some provide user/password authentication too.
That’s interesting, thanks! I'll definitely explore that option.
I appreciate the link! It’s focused on captive portal login, but I'm really after 802.1X challenge-response authentication with direct Entra ID communication.