Azure AD Connector

Authenticate WPA-Enterprise WiFi users against Microsoft Azure Active Directory (Entra ID) using PEAP-MSCHAPv2 or EAP-TLS, with support for MFA, Conditional Access, and directory synchronization.

Overview

The Azure AD Connector enables:

• Single Sign-On - Users authenticate with Azure AD credentials
• Directory Sync - Import users and groups from Azure AD
• Conditional Access - Apply Azure AD policies to WiFi
• MFA Integration - Multi-factor authentication support

Authentication Methods

PEAP-MSCHAPv2

Password-based authentication:

• Users enter Azure AD username/password
• Compatible with all devices
• Requires password hash sync or pass-through auth

EAP-TLS

Certificate-based authentication:

• Uses certificates provisioned via Intune
• Highest security
• No password required

Prerequisites

• Azure AD tenant (Entra ID)
• IronWifi account
• Azure AD Premium for advanced features (optional)

Azure AD Configuration

Step 1: Register Application

1. Sign in to Azure Portal
2. Go to Azure Active Directory > App registrations
3. Click New registration
4. Configure:
   • Name: IronWifi RADIUS
   • Supported account types: Single tenant
   • Redirect URI: Leave blank (not needed for RADIUS)
5. Click Register

Step 2: API Permissions

1. Go to API permissions
2. Click Add a permission
3. Select Microsoft Graph
4. Add permissions:
   • User.Read.All (Application)
   • Group.Read.All (Application)
   • Directory.Read.All (Application)
5. Click Grant admin consent

Step 3: Create Client Secret

1. Go to Certificates & secrets
2. Click New client secret
3. Set description and expiry
4. Copy the secret value (shown only once)

Step 4: Note Configuration Details

Record these values:

• Application (client) ID: Found in Overview
• Directory (tenant) ID: Found in Overview
• Client Secret: Created in step 3

IronWifi Configuration

Step 1: Create Azure AD Connector

1. Log in to IronWifi Console
2. Go to Users > Connectors
3. Click New Connector > Azure AD

Step 2: Enter Azure AD Details

Configure the connector:

• Name: Azure AD (or your preferred name)
• Tenant ID: Your Azure AD tenant ID
• Client ID: Application ID from Azure
• Client Secret: Secret value from Azure

Step 3: Configure Authentication

Select authentication mode:

Option A: Password Hash Sync

• Requires Azure AD Connect with password hash sync
• Works with standard PEAP-MSCHAPv2

Option B: Pass-through Authentication

• Authenticates directly against on-premises AD
• Requires Azure AD Connect with PTA agents

Step 4: User Mapping

Configure how Azure AD users map to IronWifi:

• Username format: user@domain.com or domain\user
• Group mapping: Map Azure AD groups to IronWifi groups
• Attribute mapping: Map custom attributes

PEAP-MSCHAPv2 Setup

Prerequisites

• Password hash synchronization enabled in Azure AD Connect
• Or pass-through authentication configured

Enable in IronWifi

1. In your Network settings, enable PEAP-MSCHAPv2
2. Select Azure AD Connector as identity source
3. Configure RADIUS attributes

Client Configuration

Configure clients to use:

• EAP Method: PEAP
• Inner Method: MSCHAPv2
• Identity: user@yourdomain.onmicrosoft.com

See Windows - EAP-PEAP for detailed setup.

EAP-TLS Setup

Prerequisites

• Microsoft Intune
• SCEP configured in IronWifi
• Azure AD Premium (for Intune)

Certificate Deployment

1. Configure SCEP with Intune
2. Deploy certificates via Intune
3. Clients authenticate using certificates

Conditional Access Integration

Configure Conditional Access

In Azure AD:

1. Go to Security > Conditional Access
2. Create new policy
3. Assign to users/groups
4. Configure conditions (location, device, risk)
5. Set grant controls (MFA, compliant device)

IronWifi Integration

Conditional Access applies when:

• User authenticates to WiFi
• Azure AD evaluates policies
• Access granted or denied based on policy

Multi-Factor Authentication

Enable MFA

1. In Azure AD, configure MFA settings
2. Enable for users/groups
3. Choose verification methods

WiFi with MFA

For PEAP-MSCHAPv2:

• MFA is checked during initial auth
• App-based MFA (Microsoft Authenticator recommended)

For EAP-TLS:

• Certificate serves as strong authentication
• Additional MFA may be policy-dependent

User Provisioning

Automatic Sync

IronWifi can sync users from Azure AD:

1. Enable User Provisioning in connector settings
2. Select groups to sync
3. Configure sync schedule
4. Users appear in IronWifi automatically

Group Sync

Map Azure AD groups to IronWifi:

• Security groups
• Microsoft 365 groups
• Dynamic groups

Troubleshooting

Authentication Fails

1. Verify user exists in Azure AD
2. Check password is correct
3. Confirm password hash sync is working
4. Review Azure AD sign-in logs

"User Not Found"

1. Check username format matches Azure AD UPN
2. Verify user is synced to IronWifi
3. Check group membership if filtered

MFA Prompts Not Working

1. Verify MFA is enabled for user
2. Check Conditional Access policies
3. Some EAP methods don't support interactive MFA

Sync Errors

1. Verify Azure AD permissions
2. Check client secret hasn't expired
3. Review connector logs in IronWifi

Azure AD Sign-In Logs

Monitor authentications in Azure:

1. Go to Azure AD > Sign-in logs
2. Filter by application (IronWifi)
3. Review success/failure details
4. Check Conditional Access results

Best Practices

1. Use certificate-based auth when possible (EAP-TLS)
2. Enable password hash sync for PEAP fallback
3. Implement Conditional Access for security
4. Monitor sign-in logs regularly
5. Plan for credential rotation (client secrets expire)

Related Topics

• SCEP with Intune - Certificate provisioning
• Azure Integration - General Azure setup
• EAP-PEAP Configuration
• EAP-TLS Configuration