ResourcesTechnical EngineeringThe Architect's Guide to Entra ID Wi-Fi Migration

The Architect's Guide to Entra ID Wi-Fi Migration

2025-11-24
WiFi Universe Team

Part 1: Bridging the BYOD Gap

The enterprise technology landscape is undergoing a seismic shift from on-premises, perimeter-based security to cloud-native Zero Trust architectures. At the center of this transformation is the migration from Active Directory (AD) to Microsoft Entra ID (formerly Azure AD).

While Entra ID excels at securing SaaS applications via OIDC and SAML, it introduces a "Network Discontinuity" at the wireless edge. It lacks the native mechanisms (GPOs, LDAP) to support legacy RADIUS. This guide outlines two distinct strategic pathways to bridge this gap: the Cloud PKI / Agent model and the Passpoint/Derived Credential model.

1. The "Protocol Gap": Why Legacy Auth Fails

Network engineers often attempt to "lift and shift" existing authentication models, but standard WPA2-Enterprise protocols break in the cloud.

  • The NTLM Void: Standard PEAP-MSCHAPv2 relies on the RADIUS server checking a password hash against an NTLM hash in Active Directory. Entra ID does not natively store NTLM hashes, rendering this validation impossible without complex hybrid syncs.
  • The "NPS Extension" Trap: Using the NPS Extension for Azure MFA on Wi-Fi is operationally dangerous. The mismatch between RADIUS timeouts (UDP) and user MFA response times leads to connection drops and "MFA fatigue".

The Universal Fix: Both strategies below solve this by pivoting from passwords to derived credentials (Certificates or Tokens) that do not rely on legacy AD hashes.

2. Strategy A: The Cloud PKI & Agent Model

The Infrastructure-Centric Approach

This is the standard "Enterprise" approach, focusing on replicating the granular control of on-prem AD CS.

The Architecture

You deploy a Cloud RADIUS (e.g., SecureW2, Scepman, Foxpass) that acts as the authentication authority.

The Mechanism

  • Managed Devices: Microsoft Intune pushes SCEP profiles to issue certificates silently.
  • BYOD: Users download an "Onboarding Agent" (App or executable). This agent programmatically configures the Wi-Fi profile and installs a user certificate.
Pros: Granular control over CAs; leverages Intune.
Cons: Requires agent installation on BYOD.

3. Strategy B: The Passpoint & Derived Credential Model

The Experience-Centric Approach

Favored by platforms like Cloud4Wi and SplashAccess, this leverages Passpoint (Hotspot 2.0) to deliver a "cellular-like" roaming experience.

The Architecture

The platform acts as a Federation Hub. It integrates with Entra ID to validate identity and issues "Derived 802.1X Credentials" embedded within a Passpoint profile.

The Mechanism

  • User Login: User accesses a web portal and logs in via Entra ID (SAML/OIDC).
  • Profile Provisioning: Platform generates a personalized Passpoint profile with derived credentials.
  • Installation: Profile installed via web interface (iOS/macOS) or helper (Android).
  • Sync: If user is disabled in Entra, the platform revokes the credential.
Pros: No heavy agents; seamless roaming.
Feature: Solves Android 14 trust requirements transparently.

4. The "Lost GPO" & Android 14 Crisis

The Android 14 Mandate

Google has removed the "Do Not Validate" option for server certificates. Users must now specify the Root CA and the exact Server Domain Name to connect. Relying on manual user configuration is no longer viable.

The Solution: Both strategies solve this programmatic friction.

  • Strategy A: The Agent app hardcodes the domain settings into the device config.
  • Strategy B: The Passpoint Profile is pre-configured with the required domain and trust anchors.

5. Deep Dive: Dynamic VLAN Assignment

Migrating to the cloud does not mean losing network segmentation. Both strategies support assigning users to specific VLANs dynamically based on Entra ID Security Groups.

// Logic Flow
RADIUS -> Query Entra ID (User Group)
IF Group == "Staff" THEN Return VLAN 10
IF Group == "Student" THEN Return VLAN 20

Part 2: Decision Matrix (Choosing Your Architecture)

Path A: 90%+ Corporate Managed Devices

Do you use Microsoft Intune?

  • YES: Use Cloud PKI (Scepman, SecureW2). Leverage native SCEP integration.
  • NO: Go to Path B.

Path B: Heavy Mix of BYOD / Unmanaged

Tolerance for User Friction?

  • LOW (No Apps): Use Passpoint (Cloud4Wi, SplashAccess). Web-based provisioning is key.
  • HIGH (Security First): Use Onboarding Agent (SecureW2 JoinNow). Deepest device visibility.
Feature Requirement Cloud PKI (Strategy A) Passpoint (Strategy B)
Primary Auth X.509 Certificate (EAP-TLS) Derived Credential
BYOD Experience App / Agent Download Web Portal -> Profile
Android 14 Agent Configures Domain Profile Pre-configures
Roaming Standard Auto-Join Cellular-like (Hotspot 2.0)

Part 3: Technical Configuration Checklist

Missing any one of these will result in authentication failures.

1. Entra ID Prerequisites
  • Tenant ID: Unique identifier.
  • Group Object IDs: Use Object IDs, not names, for mapping.
  • App Registration: Client ID & Secret for the RADIUS provider.
2. RADIUS & PKI Attributes
  • Server Domain Name: Exact FQDN matching the cert (Critical for Android 14).
  • Root CA (.cer): Base-64 encoded X.509 export.
  • Shared Secret: 20+ chars complex string.

VLAN Attribute Mapping Table

User Group Tunnel-Type (64) Tunnel-Medium-Type (65) Tunnel-Private-Group-ID (81)
WiFi-Engineers 13 (VLAN) 6 (802) 10
WiFi-Sales 13 (VLAN) 6 (802) 20
WiFi-Guests 13 (VLAN) 6 (802) 666

Was this guide helpful?

Speak to an Expert