How do you handle modern infra (cloud only) wifi entreprise auth ?

Posted by HadopiData@reddit | sysadmin | View on Reddit | 26 comments

We're rolling out new access points (fortiAP). Our domain is hybrid (AD+entra). Currently the setup works with NPS on a Windows server. Certificate is pushed out to the machine via GPO -> Wifi AP is setup as WPA3 Entreprise -> Requires certificate in NPS -> Wifi granted There is also a group claim (device must belong to specific group) in order to avoid any certificate from being reused on other device. However we plan to join Android devices to Entra soon, and they won't appear in local AD. That means we can't add them to the group (on-prem), unless we do group machine/writeback which is preferably avoided (goal is to move AWAY from on-prem). **What is the current way to setup WPA Entreprise for orgs that are full cloud ? Is there a Microsoft service i'm unaware of, or is NPS still the way to go?** Thanks for the input. 

Reply to Post

26 Comments

[-]

Foosec@reddit

Calling that modern hurt me

[-]

HadopiData@reddit (OP)

Please elaborate

[-]

Foosec@reddit

Im honestly of the opinion that moving things to the last is in the vast majority of cases a regression

[-]

MikaelJones@reddit

Our go-to is moving away from what you’re describing. Put everything outside on the untrusted network and let them connect to a WPA2 or even guest network. Zero Trust so only let trusted clients communicate with your ”stuff”.

[-]

BasicallyFake@reddit

Wouldn't a corporate owned and managed device be trusted in this case?

[-]

chesser45@reddit

Yes but everything is inherently untrusted so you don’t worry about it. Then build your security from there. Your wired stuff and core is segmented and that’s where the delineation is.

[-]

planedrop@reddit

>fortiAP I'm sorry > goal is to move AWAY from on-prem I'm sorry I promise this is sarcasm. Anyway, have you thought about doing a more zero trust/SASE style design like some others here have mentioned? Might be worth considering, could reduce complexity. It's still got it's issues of course but it's at least worth looking into.

[-]

chefkoch_@reddit

Push certs via mdm / intune.

[-]

finobi@reddit

With NPS and Hybrid you can use user based certificates for synced user accounts. There is also certificate strong mapping requirement coming which afaik would enforce you to use MS CA if you want to use NPS etc: [https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16](https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16) I think MS is pretty much ignoring network authentication with their cloud offering. I think Aruba Clearpass has Azure solution and now Juniper Mist apparently Azure SSO solution too.

[-]

HadopiData@reddit (OP)

The solutions you present are all user based right? Meaning there can not be wifi auth tied to the machine (before user logon) ? It's disappointing that MS doesn't provide a clear answer for this when there is an abvious need.

[-]

JwCS8pjrh3QBWfL@reddit

MS' answer is that you shouldn't be doing device-based auth, you should be doing cert based auth with SCEP. Unfortunately until a new wi-fi auth standard comes out that gets rid of the requirement for RADIUS, we're stuck with it.

[-]

finobi@reddit

Yes, I tried once get the machine auth working but NPS demands correspongin AD object. Tried to trick it with bogus AD machine objects or with write-back machine objects but it didn't work. I think if you use 3rd party radius server that will require only the certificate you may get it working. Machine based management is also otherwise difficult in Intune so I feel discouraged to make anything machine based policies or app distribution etc, except "All Machines"

[-]

stesha83@reddit

Fortinac with intune or some other MDM doing the conditional access? Assuming your Android devices are managed.

[-]

bfodder@reddit

We use MDM to issue a computer client auth cert to the local system with a common name of the username. Windows uses the cert for machine auth so it can connect at the login screen, Cisco ISE sees a username and searches AD for a username instead of machine name for auth.

[-]

flatvaaskaas@reddit

Intune certificate connector: Connector in Intune, which runs an agent on the OnPrem AD joined ADCS server (assuming you have one). The agent requests a certificate for the laptop via a specific template, and hands it over to Intune to push it to the laptop. Laptop can then connect to wifi AP's with a certificate

[-]

Bearly_OwlBearable@reddit

Since we are work from home most of the time we decided to make wifi wpa3 psk push by intune Our wifi only give access to internet and have host isolation activated User need to use ztna/vpn tunnel or Citrix to access internal ressource wether in office or at home All office have an internet connection redondant The next gen firewall at the office do web filtering When at home the ztna/vpn client do the web filtering For us this setup added a layer of security while also simplifying management by centralizing the way user access the ressource It also simpler for our support to help our user as we know that wether they are at home or in office they access ressource the same way

[-]

HadopiData@reddit (OP)

Do you roll the PSK ? Otherwise what's preventing it from leaking

[-]

Bearly_OwlBearable@reddit

Psk is controlled by intune We use mist so we have multiple multiple psk active at the same time when we changed it to allow time for the workstation to receive the new key from intune Soo yes we do roll out the psk User don’t have access to the psk and they are not admin of their machine We have a separate SSID and vlan for byod that is secure by an wpa3 psk also but this network is bandwidth limited I understand there it is less secure than machine certificate but we have restricted the access the wifi give by only giving it access to internet To access our less secure app user need to have ztna/vpn with mfa or VDI infrastructure which secure those traffic in their respective ssl tunnel Cloud native app like 365 are access directly with https Where we can authentification is always with entra id and 2fa with conditional access

[-]

AppIdentityGuy@reddit

I might be missing something. How does the group membership protect you if the certificate along with its private key is stolen. Device B is now spoofing Device A so will still be in the group or do I have that wrong? Do those Wi-Fi APs support SAML/Oauth authentication.

[-]

HadopiData@reddit (OP)

When the device is presenting itself to the radius server, there is a kerberos auth being transmitted; then NPS can verifiy that the presented device does in fact belong to the group. Contrary to the certificate claim, which if you export the certificate on another device, it would work. (Also users shouldn't be able to export the certificate, not being local admin..) Unsure about SAML/Oauth but that would not work for our goal. We aim to have the machines be authenticated to wifi (not the user), so that the machine can be connected before logging into an account. SAML needs a user and can't be tied back to a device (i think ?)

[-]

abofh@reddit

Strictly speaking saml doesn't specify the authentication and it can be any method as long as the SP is compliant. But nobody authenticates machines with saml that I've ever heard of, just tls certs or similar.

[-]

AppIdentityGuy@reddit

In this config the user is not entering their credentials right ie username and password? Except for the group membership thing certificate based auth should work for the Android devices. The hard part is getting the certificate to those devices. Are those devices owned by the business or managed by Intune? If so you can use Intune to deploy certificates to the devices. There is documentation around doing this through NDES.

[-]

HadopiData@reddit (OP)

In the current config, the user does not enter any username or password. Authentication is tied back to the machine certificate, NPS couldn't care less who the user is. This is wanted, so that the domain controllers may be joined before auth. Certificates are owned by use in our on-prem CA, deployed with GPO. It shouldn't be too hard to get a certificate to the android device. Although the group claim seems complicated (might need to be bypassed for those devices). I guess my question is "what will we do when we move away from on-prem ?", to which so far the answer seems to be "3rd party Saas radius". Which we're not fond of, introduces a potential weak link.

[-]

How do you handle modern infra (cloud only) wifi entreprise auth ?

Reply to Post

26 Comments

Foosec@reddit

HadopiData@reddit (OP)

Foosec@reddit

MikaelJones@reddit

BasicallyFake@reddit

chesser45@reddit

planedrop@reddit

chefkoch_@reddit

finobi@reddit

HadopiData@reddit (OP)

JwCS8pjrh3QBWfL@reddit

finobi@reddit

stesha83@reddit

bfodder@reddit

flatvaaskaas@reddit

Bearly_OwlBearable@reddit

HadopiData@reddit (OP)

Bearly_OwlBearable@reddit

AppIdentityGuy@reddit

HadopiData@reddit (OP)

abofh@reddit

AppIdentityGuy@reddit

HadopiData@reddit (OP)

notapplemaxwindows@reddit

jxd1234@reddit

ElevenNotes@reddit