I am not an expert in radius or azureAD. But my understanding is that you cannot have an machine “joined” to AzureAD. This prevents most of the common deployment models like AD integrated ISE or ClearPass where you rely on Kerberos and NTLM by joining the node to the domain.
The solution has been to move to a Hybrid deployment and have a local AD box you can integrate to. Or just running a regular DC in Azure and integrating radius there. In a perfect world, you would move to EAP-TLS to remove the need for ntlm and Kerberos which needs an AD joined machine. I believe you can do LDAP for attribute lookup against AzureAD. Alas I don’t think they have the equivalent of AD certificate services in AzureAD to get certs for all your devices.... I would love to hear if anyone is doing something that works well. Sent from my iPhone >> On Sep 25, 2019, at 12:43 PM, Turner, Ryan H <[email protected]> wrote: > > I know that most times RTT between campus and cloud is low, but I just think > its something to be fearful of when authentication times matter. You really > are going to have no data center footprint to host local services? > > From: The EDUCAUSE Wireless Issues Community Group Listserv > <[email protected]> On Behalf Of Jeffrey D. Sessler > Sent: Wednesday, September 25, 2019 2:10 PM > To: [email protected] > Subject: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction? > > Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, > and if so, what path did you take? There doesn’t seem to be a clear MS > solution other than standing up domain services for azure AD and running a > NPS VM, and I’ve also found a couple of RaaS (radius as a service) offering > such as Jumpcloud. > > Would welcome feedback. We’re just about out of our datacenter for most > operations, and radius has been one of those important but low-handing items > that I’m now focused on. > > Jeff > > -- > Jeff Sessler > Executive Director, Information Technology > Scripps College > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
