Subscribe to Help Center RSS FeedOrganizations can enable RADIUS access using Entra ID as the identity provider, which provides the advantage of an organization getting secure RADIUS access through 探花大神 without having to manage users and passwords outside of Entra ID.
This article will provide a high level view of 聽what a new organization needs to do to get authentication with Entra ID working.
Organizations authenticating with Entra ID must use EAP-TTLS/PAP only.
- Learn More: RADIUS Protocol Support
Considerations:
- Entra ID may flag the RADIUS authentication request from 探花大神 RADIUS servers as risky, due to Microsoft Identify Protection being turned on for the Entra ID account or a conditional policy based on the IP address. To suppress the false flag, add 探花大神 RADIUS servers IP server address to the trusted IP list, either by enhancing an existing Entra ID policy or adding a new policy.
- Microsoft KB:
- Microsoft KB:
- Microsoft KB:
- OpenVPN聽is only supported with聽PAP聽and MSCHAPv2. It is not supported with EAP-PAP/TTLS, so authentication with Entra ID cannot be done with OpenVPN.
Import Users:
In order for RADIUS login with Entra ID credentials to be successful, Entra needs to be authoritative for the user's password. An Entra ID account which is federated with a third party Identity Provider, Microsoft Office, or AD will cause the RADIUS authentication to fail with a sign-in error code of 50126 even if the user or admin enters their username and password correctly. A workaround for this issue is to create an alias user in Entra ID.
- For organizations planning to authenticate with the IdP of Entra ID, those users need to be imported into 探花大神.
- When authenticating with Entra ID, the UPN in Entra ID should match the company email address in 探花大神 and the user should be using this attribute for their Radius login.
- Entra ID doesn鈥檛 pass the user鈥檚 password to 探花大神, so the user remains in a Password Pending status. If an Entra ID organization is using 探花大神 exclusively for RADIUS, admins do not require users to create a password in 探花大神, so the Password Pending status can be ignored.
- Users come in as a staged state and need to be moved to an active state.
- Learn More: Manage User States
Create a User Group:
- After importing, your users need to be assigned to a User Group that will be granted access to the RADIUS server.
- Learn More: Get Started User Groups
Set up a RADIUS server:
- Add a RADIUS server, and set up authentication with Entra ID as the identity provider.
- Learn More: RADIUS Configuration and Authentication
Configure a Wireless Access Point (WAP):
Set up Client Devices:
- First, establish a secure authentication protocol with EAP-TTLS/PAP
- Learn More: EAP-TTLS/PAP configuration on Mac & iOS Devices for 探花大神 RADIUS
- Learn More: EAP-TTLS/PAP configuration on Windows for 探花大神 RADIUS clients
- Note: Android devices may not require a certificate.
Troubleshooting RADIUS Connections:
- Learn more: Troubleshooting RADIUS Server Authentication
- Once the setup is tested, admins can leverage their existing MDM/UEM to deploy the certificates or profile to their managed devices.
- The transactions will show as interrupted in the Entra ID sign-in log. If Entra ID MFA is enabled, the transaction may show as failed but the RADIUS connection will be successful if the user provides email and password correctly. Entra ID ignores the MFA requirement.
Learn More