ºÚÁϺ£½Ç91Èë¿Ú

Authenticate to RADIUS with Entra ID

Organizations can enable RADIUS access using Entra ID as the identity provider, which provides the advantage of an organization getting secure RADIUS access through ºÚÁϺ£½Ç91Èë¿Ú without having to manage users and passwords outside of Entra ID.

This article will provide a high level view of  what a new organization needs to do to get authentication with Entra ID working.

Important:

Organizations authenticating with Entra ID must use EAP-TTLS/PAP only.

Considerations:

  • Entra ID may flag the RADIUS authentication request from ºÚÁϺ£½Ç91Èë¿Ú RADIUS servers as risky, due to Microsoft Identify Protection being turned on for the Entra ID account or a conditional policy based on the IP address. To suppress the false flag, add ºÚÁϺ£½Ç91Èë¿Ú RADIUS servers IP server address to the trusted IP list, either by enhancing an existing Entra ID policy or adding a new policy.
    • Microsoft KB: 
    • Microsoft KB: 
    • Microsoft KB: 
  • OpenVPN is only supported with PAP and MSCHAPv2. It is not supported with EAP-PAP/TTLS, so authentication with Entra ID cannot be done with OpenVPN.

Import Users:

Warning:

In order for RADIUS login with Entra ID credentials to be successful, Entra needs to be authoritative for the user's password. An Entra ID account which is federated with a third party Identity Provider, Microsoft Office, or AD will cause the RADIUS authentication to fail with a sign-in error code of 50126 even if the user or admin enters their username and password correctly. A workaround for this issue is to create an alias user in Entra ID.

  • For organizations planning to authenticate with the IdP of Entra ID, those users need to be imported into ºÚÁϺ£½Ç91Èë¿Ú.
  • When authenticating with Entra ID, the UPN in Entra ID should match the company email address in ºÚÁϺ£½Ç91Èë¿Ú and the user should be using this attribute for their Radius login.
  • Entra ID doesn’t pass the user’s password to ºÚÁϺ£½Ç91Èë¿Ú, so the user remains in a Password Pending status. If an Entra ID organization is using ºÚÁϺ£½Ç91Èë¿Ú exclusively for RADIUS, admins do not require users to create a password in ºÚÁϺ£½Ç91Èë¿Ú, so the Password Pending status can be ignored.
  • Users come in as a staged state and need to be moved to an active state.

Create a User Group: 

  • After importing, your users need to be assigned to a User Group that will be granted access to the RADIUS server.

Set up a RADIUS server:

Configure a Wireless Access Point (WAP):

Set up Client Devices:

Troubleshooting RADIUS Connections:

Note:
  • Once the setup is tested, admins can leverage their existing MDM/UEM to deploy the certificates or profile to their managed devices.
  • The transactions will show as interrupted in the Entra ID sign-in log. If Entra ID MFA is enabled, the transaction may show as failed but the RADIUS connection will be successful if the user provides email and password correctly. Entra ID ignores the MFA requirement.
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case