We're transitioning to a cloud-only infrastructure, moving servers and other critical components to the cloud. Our office now feels like a fancy coffee shop, with only basic networking equipment like switches, routers, and WiFi access points remaining. We're using Azure for everything else and manage endpoints through Intune. Ideally, we'd like to manage our WiFi through Intune, but it seems to lack support for WPA3 without some workarounds. Our WiFi hardware consists of Unifi U7 Pro units, with the controller also hosted in Azure. I'm curious whether RADIUS is still a viable solution for us or if there are better alternatives. We plan to have separate SSIDs for corporate devices, IoT, and guests.
6 Answers
It really depends on your specific needs. If your endpoints have zero trust network access (ZTNA), then connecting to the WiFi just gives internet access, so you could use a simple password displayed publicly. However, if you have site-to-site VPNs that connect to your infrastructure, then using RADIUS with SCEPMan or a similar service is really the way to go.
Unifi offers a cool feature for one-time use codes that work for both guests and employees. You can set expiration times on these codes, and they’re tied to individual devices, which helps with security since you can track who used what.
Just a heads-up, the WPA2-TLS 802.1x profile you set up in Intune works with WPA3, so clients can connect without issue. I also found an XML import for WPA3 shared keys that worked without problems.
Using a solution like SCEPMan combined with EAP-TLS along with cloud RADIUS could be a solid choice for your setup. It tends to streamline management and security for cloud-based environments.
I've had great experience with PortKNOX cloud RADIUS. It's been reliable and I haven't run into any major issues. Definitely worth a look!
Considering a hosted WiFi platform like Meraki that supports cloud RADIUS could simplify your management and enhance your WiFi experience, given the cloud-heavy nature of your infrastructure.
That's interesting! So the password visibility approach works if there's no sensitive data passing through, right?