验证现有WPA2-Enterprise Wi-Fi和透明代理的AAD身份的任何技巧吗? [英] Any trick to authenticating AAD identities for existing WPA2-Enterprise Wi-Fi and Transparent Proxy?
问题描述
在当前环境中,我们拥有AD,GPO部署的WPA2-企业无线(PEAP/MSCHAPv2),其中RADIUS还处理了我们的Web过滤器(透明代理)的身份验证.标准配置,一切都正常 与加入域的设备上的AD身份所期望的一样.我们还配置为混合,并且我们已经确认,所有这些都可以像具有同步AD身份的魔术一样继续工作,甚至在AAD连接(仅)设备上也是如此……这真是太棒了.但 纯AAD身份又如何呢?
In our current environment, we have AD, GPO-deployed WPA2-Enterprise Wireless (PEAP/MSCHAPv2), with RADIUS also handling authentication for our web filter (transparent proxy). Obviously, this is a pretty standard configuration, and it all just works as expected with AD identities on domain-joined devices. We're also configured as Hybrid, and we've confirmed that this all continues to work like magic with synchronised AD identities, and even on AAD-Joined (only) devices... which is pretty awesome. But what about pure AAD identities?
现在,我们正在寻求将一些网络信息终端,销售点和类似的配置迁移到云中,以便我们可以更全面地探索AAD(身份/设备)和Intune管理.问题是,我们如何使这些帐户根据需要进行身份验证? 显然可以启用用户回写"功能.为用户创建一个AD帐户,但这有点违背此目的.那么我们还能做些什么呢?我们会考虑使用Azure MFA服务器之类的东西,该服务器配置为充当 RADIUS代理,以某种方式在内部对我们的AAD用户进行身份验证?
Right now, we're looking to migrate some web-kiosk, point-of-sale, and similar configurations, to the cloud so that we can more fully explore AAD (identities/devices) and Intune management. The question is, how do we make those accounts authenticate as required? We could obviously enable "User Write-back" to create an AD account for the user, but that would be defeating the purpose a little. So what else can we do? Would we be looking at using something like an Azure MFA server, configured to act as a RADIUS proxy, to somehow authenticate our AAD users internally?
我意识到这可能是困难的方式",并且解决方案可能是推出一种并行配置,该并行配置更好地支持此方案,即具有完全不同的Wi-Fi配置的新SSID ,可能 从公式中替换或删除Web过滤器/代理-但这些类型的更改都是长期的(如果有的话).这种配置可行吗?选项?
I realise that this is probably the "hard way", and that a solution might be to roll a parallel configuration that is better able to be supported for this scenario - i.e. a new SSID with a completely different Wi-Fi configuration, and probably replace or remove the web filter/proxy from the equation - but these types of changes would all be longer-term (if at all). Is this configuration possible? Options?
推荐答案
您能否在此方面更清楚一点,您到底想实现什么? ?
Could you more clearer on this, what exactly you are trying to achieve?
这篇关于验证现有WPA2-Enterprise Wi-Fi和透明代理的AAD身份的任何技巧吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
