Congratulations! You are planning on securing your network and move to a more modern way of authenticating your users. One of the most common ways to do this is by using Entra ID for Wi-Fi authentication. This paired with a cloud RADIUS service means that you can fully move your network authentication to the cloud. As you will see in the video below, it is very easy to set up your network to authenticate users with Entra ID (with a few caveats, if you are using Apple devices, you have to install a wifi profile that can also be pushed through Intune since Apple devices default to an authentication method not supported by Entra ID).
While username and password is a great step forward compared to a shared key, it is still not the most secure way to authenticate users and we know that in the zero-trust world, you want to enable Multi-factor authentication (MFA) on everything, so why not on your Wi-Fi network? The problem is that the RADIUS protocol was not designed for MFA (in fact it was not even designed for human authentication, it was designed for dial-up connections). This means that if you want to add MFA to your Wi-Fi network, the RADIUS authentication will keep timing out until the user has completed the MFA challenge. Please see the diagram below straight from the Microsoft Documentation
Additionally, the MFA challenge must be a simple push notification since the RADIUS protocol does not support a way for the user to select the number they see on the screen or other more complex MFA challenges.
While in the last section we talked about how the authentication with MFA is a little more inconvenient than username and password, some might argue that it is a price worth paying for a more secure network. While you don’t have to sell me twice on more security there is a problem that most people overlook: Your device actually authenticates multiple times a day to the network (think each time you switch APs, restart your PC, etc.) to make it easier for the user, the device will cache the username and password and will automatically connect to the network, this usually means that RADIUS servers will have the MFA cached for a few hours or days so we are not requesting MFA authentication from the user each time. The problem comes when the “MFA cache” expires on the server, the user will be prompted to accept a push notification without any context, this means that by trying to secure your network you will train your users to accept MFA requests because “it is probably the network just asking for it again”. This is a huge security risk since it is very easy to create a fake MFA request and have the user accept it.
While I just spent a few paragraphs explaining why Entra ID MFA Wi-Fi Authentication with RADIUS is a bad idea, I am not saying that you should not secure your network, in fact, I am saying that you should secure your network, but you should do it the right way. The right way to secure your network is by using an MDM to distribute a certificate to your devices and then use a RADIUS service to authenticate the device or user using the certificate. This way you can have a secure network without the need for MFA. I know what you are thinking, “Now I have to also run a PKI, I was assigned this project and I just want to get it done. Not grow my infrastructure I have to manage”. This is where EZCA comes in, it is a cloud PKI that is fully managed and can be integrated with your MDM to distribute certificates to your devices. Below you can see a video on step by step how to set up your network with Intune, EZRADIUS, and EZCA in less than 30 minutes.
If you made it this far in the blog post, you are probably interested in learning more about how to secure your network with Entra ID and RADIUS. We have a few resources that can help you get started: our YouTube Channel has some great explanation videos, and even some funny videos about the IT world, our documentation has step-by-step guides on how to set up your network with Entra ID and RADIUS, and our blog has some great articles on how to secure your network with Entra ID and RADIUS. If you have any questions, feel free to schedule a call with one of our experts, they will be happy to help you get started securing your network.