A Guide to Deploy RADIUS with Microsoft Office 365 Suite
As far as productivity suites go, none are as widely used as Microsoft’s Office 365. It’s a safe bet to assume most organizations use it in some fashion or another, which makes it a great option for getting your feet wet with advanced network security options like RADIUS authentication.
Given the meteoric rise in cybercrime, it is imperative to upgrade your network as a preventative measure rather than a reactionary measure. Staying one step ahead is the only way to ensure a safe network. With Office 365, you’re already halfway there. This article will discuss several options for enhancing your network security with the tools already available to you.
Why Use 802.1X RADIUS Authentication?
Unfortunately, many organizations don’t have the resources or expertise to properly secure their networks. They rely on flat, WPA-PSK (pre-shared key) networks that are susceptible to attack from dozens of vectors and have no additional security beyond the perimeter-level.
When a hacker breaches such a network, they have full access to everything stored on the organization’s network. Attacks like these cost a small business more than $200k on average and frequently lead to the business collapsing.
802.1X authentication addresses the issue by using a AAA or RADIUS server to authenticate users, each with their own unique credentials. This makes it more difficult for malicious actors to gain access, but still not impossible.
The undisputed best method for securing wired and wireless networks is to use a WPA2-Enterprise 802.1X network and the EAP-TLS authentication protocol so that you can leverage X.509 digital certificates instead of credentials. Certificates are virtually immune to over-the-air attacks and phishing attempts because of the public-private key cryptography that underpins the technology.
Fortunately, you can use your existing Office 365 credentials to skip a few steps and facilitate setting up the necessary infrastructure for RADIUS authentication, as well as an optional PKI for certificate-based RADIUS authentication. Here’s how:
Sync Office 365 Credentials to Azure AD
Did you know your Office 365 subscription comes with a free Azure AD subscription? Office uses Azure AD behind the scenes for identity management anyway, so it’s little more than a formality to set up an account and access the identity directory for all of your users.
Once your Azure AD is up and running, you need to configure a RADIUS server to handle the authorization and authentication requests. Unfortunately, you’ll probably run into some obstacles if you attempt to remain within the Microsoft ecosystem.
NPS as a RADIUS
Historically, most people would just use NPS to fill the role of a RADIUS. NPS wasn’t built for the cloud, however, and can’t directly interface with the Azure AD directory. There is an extension which grants limited functionality, but the reality is that it is only sufficient for on-premise AD networks.
Azure MFA as a RADIUS
Azure MFA, included in the subscription, can be configured to authenticate RADIUS requests. Much like NPS, unfortunately, it’s a very bare-bones implementation and hardly a replacement for a real RADIUS. It’s limited to PAP/MSCHAPv2 authentication, which has had known vulnerabilities for years. The security standard can be exploited by hackers to gain user login information from devices which are not properly configured to connect only to trusted RADIUS servers.
Use Office 365 Credentials to Provision Digital Certificates
Frankly, it’s foolish to use improvised RADIUS servers to protect user identity and network resources. Given the surprisingly low cost of managed Cloud RADIUS servers, it’s a no-brainer to choose the purpose-built option.
SecureW2’s Cloud RADIUS solution is totally vendor-neutral, able to integrate with your existing network infrastructure to fill in the gaps or build a full WPA2-Enterprise network from the ground up. You can sync your newly acquired Azure AD directory to our identity management platform for unparalleled control – implementing group policies and VLANs for network segmentation, credential and certificate management, and more.
With the addition of our PKI, you can effectively convert your user’s existing Office 365 credentials into digital certificates supported by Azure (and a huge number of other services and web apps) by using our first-in-class onboarding software that configures both managed and BYOD devices for a guided self-enrollment process. Your end users can painlessly enroll for certificates and be among the first people in the world to use truly passwordless Azure authentication.
We have affordable options for organizations of all sizes. Click here to see our pricing.