Overview

By default, EnGenius APs use LDAP to associate with Microsoft Entra ID, formerly Azure Active Directory (Azure AD). This document outlines the steps to use Microsoft Entra ID Secure LDAP credentials to access your secure wireless network and shows the software architecture.

Integrating EnGenius APs with Microsoft Entra ID secure LDAP authentication provides many benefits, including the easy synchronization of users from on-premises Active Directory (AD) to the Microsoft Entra ID LDAP Server, quick setup in the Microsoft Entra ID server, and increased reliability.

Ensure your EnGenius Cloud APs have an active Pro License and that the Org AP feature plan is set to Pro. You can then configure them to use the Microsoft Entra ID (Azure AD) LDAP Server for WPA2/WPA3-Enterprise or Captive Portal authentication.

To get started:

1. Choose the SSID to Enable Azure AD Authentication.

   • Go to Org / Network.

   • Click the EnGenius WiFi in the SSID list.
2. Choose the Security Type and Authentication Type to apply for this SSID.

   • Security Type: Click Wireless > Security Type > WPA2 or WPA3 Enterprise.

   • Authentication Type: Click Captive Portal > Authentication Type > Azure AD.
3. Select Authenticate with Azure AD.

   • Fill in the Host, Port, Account, and Password.

   • Base DN (Optional): Starting point of the LDAP directory tree when the AP requests the search of the corresponding user’s credentials in the LDAP server. If the field is empty, the AP auto-detects the configuration from the Azure AD/Entra ID LDAP server. Otherwise, the user can set the specified Base DN string according to the Azure AD host. (Format: ou=AADDC Users,dc=engenius-azure,dc=ddns,dc=net).

   • (Optional) Import the Authenticator certificate for customized content and domain.

01. How to Generate Customized Certificate?

Several tools are available to create self-signed certificates. In this tutorial, we will use OpenSSL to create a self-signed certificate for secure LDAP.

To get started:

1. Generate the certificate:

   • Download FreeRADIUS code from https://github.com/FreeRADIUS/freeradius-server/tree/master/raddb/certs.

   • Navigate to the directory: cd raddb/cert/

   • Adjust the customized information in the .cnf file (e.g., domain name, expiration duration, location, etc.).

   • Run the bootstrap script: ./bootstrap

   • Zip the certificate files: zip cert.zip server.pem dh ca.pem

2. Click Import and Zip File Upload to upload cert.zip to EnGenius Cloud.

1. Export ca.pem and install it on the client device if requested.

02. Supported Operating Systems and Models

EAP-TTLS/PAP and TLS 1.2+ are essential on client devices. The following operating systems have native support and are verified to work with EnGenius Cloud AP:

• iOS version 13 and higher

• Google Chrome OS

• Android version 6 and higher

• Microsoft Windows 8 and higher

• MacOS 11 and higher

Verified Client Device List:

03. Software Architecture

Captive portal with Azure AD Server

WPA2/WPA3-Enterprise with Azure AD Server

To get started:

1. Sign in to the Microsoft Azure Admin console.

   • Navigate to portal.azure.com and sign in with your credentials.

2. Enable the Microsoft Entra ID Secure LDAP Server.

   • Follow the instructions provided in the Microsoft Entra ID documentation to enable the secure LDAP server.

3. (Optional) Configure an appropriate role for verifying user credentials.

   • Specify a role that can read keys and values for the AP to verify users.

   • For more information on Microsoft Entra built-in roles, see https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference.

4. Create a Firewall rule for the AP to query your Microsoft Entra ID Secure LDAP Server.

   • Ensure TCP traffic direction is set to outgoing to port 636 of hostname ldaps.aaddscontoso.com (hostname and port from step 1).

To allow client devices to authenticate with the Entra ID (Azure AD) LDAP Server, some devices, such as Android phones, require the installation of the Client’s Authentication (CA) Certificate (ca.pem). This certificate is needed for secure communication between the Access Point and client devices and can be exported via the EnGenius Cloud GUI.

To get started:

1. Client devices scan for the EnGenius WiFi SSID and connect to it.

2. The 802.1X page pops up and requests the Username and Password. (e.g., account@example.edu).

3. If the Certificate page pops up, click Trust.

4. For Android phones, it is required to specify the EAP method and Phase 2 authentication. Please refer to the following settings:

   • EAP method: Select EAP-TTLS.

   • Phase 2 authentication: Select PAP.

     • (Note: If PAP is not supported on client devices, GTC is an alternative option but may have compatibility issues on specific devices, e.g., Chromebook.)

   • Domain (Optional): Enter the corresponding domain shown on Cloud GUI, e.g., engenius.ai (by default)

   • Online Certificate Status: Choose Do not validate.

     • (Note: For Google Nexus devices, this option is not available. The certificate (ca.pem) must be installed.)

Chromebook Bug:

• Issue: If a user selects an unsupported authentication method (e.g., EAP-TTLS + GTC) first and then switches to EAP-TTLS + PAP, they may encounter connection failures.

• Solution: Delete the wireless profile and create a new one, selecting EAP-TTLS + PAP directly.

Samsung Devices:

• Issue: Samsung devices require the Domain field to be filled in.

• Solution: Ensure that the Domain field is completed during configuration.

Google Pixel:

• Issue: Google Pixel devices require a certificate to be installed for authentication.

• Solution: Follow the instructions provided by Google to install the necessary certificate. Refer to the Google Support page for detailed steps.