Re: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?
Minimal DC footprint, mostly security related. Almost all of our services are now SaaS, so with the exception of security-related items and DHCP, there isn’t anything else left. I was concerned with RTT, but our primary Azure DC is about 30ms roundtrip. Jeff From: "wireless-lan@listserv.educause.edu" on behalf of "Turner, Ryan H" Reply-To: "wireless-lan@listserv.educause.edu" Date: Wednesday, September 25, 2019 at 11:43 AM To: "wireless-lan@listserv.educause.edu" Subject: Re: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction? I know that most times RTT between campus and cloud is low, but I just think its something to be fearful of when authentication times matter. You really are going to have no data center footprint to host local services? From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jeffrey D. Sessler Sent: Wednesday, September 25, 2019 2:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction? Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, and if so, what path did you take? There doesn’t seem to be a clear MS solution other than standing up domain services for azure AD and running a NPS VM, and I’ve also found a couple of RaaS (radius as a service) offering such as Jumpcloud. Would welcome feedback. We’re just about out of our datacenter for most operations, and radius has been one of those important but low-handing items that I’m now focused on. Jeff -- Jeff Sessler Executive Director, Information Technology Scripps College ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?
I am not an expert in radius or azureAD. But my understanding is that you cannot have an machine “joined” to AzureAD. This prevents most of the common deployment models like AD integrated ISE or ClearPass where you rely on Kerberos and NTLM by joining the node to the domain. The solution has been to move to a Hybrid deployment and have a local AD box you can integrate to. Or just running a regular DC in Azure and integrating radius there. In a perfect world, you would move to EAP-TLS to remove the need for ntlm and Kerberos which needs an AD joined machine. I believe you can do LDAP for attribute lookup against AzureAD. Alas I don’t think they have the equivalent of AD certificate services in AzureAD to get certs for all your devices I would love to hear if anyone is doing something that works well. Sent from my iPhone >> On Sep 25, 2019, at 12:43 PM, Turner, Ryan H wrote: > > I know that most times RTT between campus and cloud is low, but I just think > its something to be fearful of when authentication times matter. You really > are going to have no data center footprint to host local services? > > From: The EDUCAUSE Wireless Issues Community Group Listserv > On Behalf Of Jeffrey D. Sessler > Sent: Wednesday, September 25, 2019 2:10 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction? > > Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, > and if so, what path did you take? There doesn’t seem to be a clear MS > solution other than standing up domain services for azure AD and running a > NPS VM, and I’ve also found a couple of RaaS (radius as a service) offering > such as Jumpcloud. > > Would welcome feedback. We’re just about out of our datacenter for most > operations, and radius has been one of those important but low-handing items > that I’m now focused on. > > Jeff > > -- > Jeff Sessler > Executive Director, Information Technology > Scripps College > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: Azure AD and RADIUS - anyone moved this direction?
I know that most times RTT between campus and cloud is low, but I just think its something to be fearful of when authentication times matter. You really are going to have no data center footprint to host local services? From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jeffrey D. Sessler Sent: Wednesday, September 25, 2019 2:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction? Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, and if so, what path did you take? There doesn’t seem to be a clear MS solution other than standing up domain services for azure AD and running a NPS VM, and I’ve also found a couple of RaaS (radius as a service) offering such as Jumpcloud. Would welcome feedback. We’re just about out of our datacenter for most operations, and radius has been one of those important but low-handing items that I’m now focused on. Jeff -- Jeff Sessler Executive Director, Information Technology Scripps College ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Azure AD and RADIUS - anyone moved this direction?
Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, and if so, what path did you take? There doesn’t seem to be a clear MS solution other than standing up domain services for azure AD and running a NPS VM, and I’ve also found a couple of RaaS (radius as a service) offering such as Jumpcloud. Would welcome feedback. We’re just about out of our datacenter for most operations, and radius has been one of those important but low-handing items that I’m now focused on. Jeff -- Jeff Sessler Executive Director, Information Technology Scripps College ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
