I'm curious if anyone has managed to get WiFi authentication working directly with Entra ID in a completely cloud-based setup. We operate entirely without on-prem Active Directory and manage all of our FortiAPs through FortiGate. My goal is to enable users to connect to our office WiFi using their Entra ID credentials.
Most resources I've encountered suggest that a RADIUS server (either self-hosted or third-party) is necessary, or that I'd need to establish some form of local Active Directory just for 802.1X authentication. I'm hoping to find a straightforward, cloud-centric solution that avoids any RADIUS or AD infrastructure maintenance. Has anyone figured out how to do this, or is it currently impossible without using RADIUS?
4 Answers
You might want to explore certificate authentication. Cloud PKI is available for a couple bucks per user, which can be integrated with Intune. This way, devices or users receive a certificate, and you can validate their authenticity through the certificate chain.
For a BYOD approach, you might need to implement a captive portal if you're looking to skip RADIUS entirely. However, if you want solid 802.1X functionality in the long term, some form of RADIUS setup seems unavoidable. Have you considered something like Packetfence?
For your needs, using Keytos for both cloud CA and cloud RADIUS server has worked well for us. Just a heads up, make sure you're running FortiOS 7.6 or later to leverage RadSec for secure communication. If you're on an earlier version, the standard RADIUS protocol is unencrypted, which could expose credentials. We resolved this by using a RadSec Proxy to handle secure transfers.
Check out this documentation on captive portal authentication using SAML credentials. It explains how users can connect to the network and then be redirected to a login page. But keep in mind, I'm actually searching for a solution that allows 802.1X-level authentication that communicates directly with Entra ID right from the connection phase, without any captive portal involved.
There’s an LDAP wrapper available for Entra ID that I successfully tested in the past with Freeradius. You could check out that GitHub link I shared.
Another option might be using Azure Active Directory Domain Services to support LDAP, but again, that would rely on Freeradius. If you're considering user authentication, a RADIUS as a Service provider could be the way to go. Many of them also pair device authentication with a cloud PKI setup.
Thanks for sharing that! I see that the doc is focused on SAML logins, but I need a direct 802.1X connection.