Controllerless Networks

Hi all,

does anybody attempted to do this? I can’t find useful info or if even it it is feasible to accomplish without ClearPass, 

I would really thank your comments 

Certainly possible but you need some mechanism to get a certificate on every device.

thanks Tim,
Would QuickConnect do the job? Is there a document like a tech brief describing this scenario?

With Intune you can deploy both user and computer certificates to managed devices. This certificate can be used to do 802.1x authentication.

Thanks Willem, I´ll explore Intune for certificate deployment, it looks like should work.

We´ve done many deployments of 802.1x auth with on prem AD and NPS, never done one with Azure AD, if someone has a guide to do this, or any resource we can read about it´ll be much appreciated

thanks

I have no documentation but it's straight forward. Just deploy a certificate to the client and configure the client to do EAP-TLS.

You maybe need to disabled EAP-TLS authorization in ClearPass because the computer account doesn't exist in the Authentication source. For authorization you can use the Intune extension if needed.

We´ll not ve using ClearPass, it´s an IAP cluster, No ClearPass.

When using on Prem AD we have NPS and a local CA, all authentication is done in L2. 

What do we need to setup when using Arure AD? what about NPS and the CA?

There is no big difference. NPS will still handle the 802.1x authentication. However, there is one difference because you will probably not join the machine to Azure AD. Because the machine are not joined NPS is not able to do authorization. However, because the authentication is done using EAP-TLS this can still work. However, you have to disable the requirement to have a computer/user account in the AD. I know this is possible to do with NPS but don't have to configuration. I thought this has to be configured in the registry.  

You mean using an NPS machine on premise?

You can use NPS on prem or install NPS at the server in Azure.

Thank you Willem for your help, I´ll try to configure a PoC and will post a feedback

Best regards

Did you see the "ClearPass with Azure AD and Intune integration" serie on the youtube ABC networking channel? https://www.youtube.com/watch?v=MlcrqTDDufU

What i reminder from a collegue that help me at a customer with Intune:

• For certificate enrollment through Intune we needed a NDES server.
• In ClearPass we had to turn of "authorization" in the EAP-TLS settings

With the ClearPass Intune plugin you can get some attributes from Intune. Not sure if NPS have that kind of plugin features but basic authentication without authorization can be done.

Thanks Marcel, I watched  the video and it´s very helpful when using Clearpass and Intune, my scenario is not using Clearpass. 

We want to set this up 802.1x for client authentication with plain MS tools if possible.

kind regards

Any RADIUS server should support EAP-TLS.

The IAP do not care about which Radius server is authenticating a device. Therefore the 802.1x configuration is the same whether you use ClearPass or MS NPS or any other Radius server.

For MS specific information you might want to check Microsoft resources directly, eg. https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-crp-crpolicies

There is also an article on client certificate requirements for EAP-TLS operation: https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements