Question

Wi-Fi - Azure AD (AAD) Authentication + Per-vlan assigment

  • 16 October 2020
  • 5 replies
  • 540 views

Hi,

I would like to ask if anyone knows if its possible to use only Extreme hardware/software to do a Wi-Fi deployment were a single SSID will be using Azure AD for user authentication and also have the possibility to map a  specific user/group to a specfic vlan/group policy

Currently I’m using Cisco gear with a  radius server cloud provider(ironwifi) that uses Azure AD as user db backend, but would like to know if Extreme any kind of native AAD integration.

 

Best regards.

 

 


5 replies

Userlevel 7
Badge +1

Hello leonarit,

 

native Identifi only supports Radius for external authentication and can’t speak directly to the AD/LDAP. To connect an AD you need for example an radius server or Extreme-NAC.

 

Regards

Stephan

 

 

 

Hello leonarit,

 

native Identifi only supports Radius for external authentication and can’t speak directly to the AD/LDAP. To connect an AD you need for example an radius server or Extreme-NAC.

 

Regards

Stephan

 

 

 

Hi StephanH, the Azure AD doesn’t support LDAP, it’s based on a Azure service that’s only accessible through some type specific connectors (OpenId Connect,etc).

 

I was told by someone that has Extreme knowledge that it was possible, i will try to check with the someone form product management.

 

Best regards.

Userlevel 7
Badge +1

Hello leonarti,

 

sorry for the confusion. I just wanted to say that Identifi cannot speak directly to Azure.

AD/LDAP was just an example.

Since Identifi controllers (your anser was posted in the Identifi channel therefore I asume your question is about Identifi products) and APs are already tagged with an EoS date, these devices will not speak to Azure in the future.

 

This might be implemented in the future only for XCC or CloudIQ. Here I do not know any plans.

 

As of May 2020 there was not support for NAC and XCC (=XCA). See here:

https://extremeportal.force.com/ExtrArticleDetail?n=000039180&q=azure

 

Regards

Stephan

 

 

 

With Extremecloudiq we have an integration with Azure based on ppsk. You can doe segmentation based on vlans. Have a look at: https://wiflex.eu/wifionboarder-gsuite-azure/

Userlevel 6

I’ve read of people enabling Azure AD Domain Services, which enables LDAP and then installing a RADIUS server (which could be ExtremeControl) in a new OU in Azure AD DS, which can then authenticate MS-CHAPv2 for EAP-PEAP.

However you may want to consider some sort of onboarding with certificates (eg from Intune) rather than using username/password.

Reply