Update RADIUS Certificates for EAP-TTLS Devices

JumpCloud's RADIUS-as-a-Service offers Certificate-based methods for desktops, laptops, and mobile devices to verify that they are authenticating to the correct RADIUS server (so that no one else can pretend to be JumpCloud's RADIUS server). This will prevent clients from trusting RADIUS servers without the Private Key that matches this Certificate. JumpCloud strongly recommends that you leverage a certificate authentication method for this reason.

This help article explains how to update and deploy the new JumpCloud RADIUS certificate to both Windows and Mac devices.

Note:

The certificate is required for EAP-TTLS/PAP authentication methods, and for some PEAP clients as well. 

Most clients using PEAP do not need to manually add the RADIUS certificate because it is automatically acquired during the device authentication process.

Important:
  • The new certificate will be installed on JumpCloud’s RADIUS servers on July 8, 2024 and is valid until July 10, 2025.
  • To avoid a service disruption, update your certificate before July 8, 2024.

Considerations:

  • If you have the current JumpCloud RADIUS certificate installed, you only need to update where it was manually installed.
  • You can install the new certificate side-by-side with the current (expired) certificate. The system will select the correct certificate.
  • To avoid service disruptions, do not remove the current (expired) certificate until it is replaced on July 8, 2024.
  • The EAP-PEAP protocol is not affected by the RADIUS certificate expiration. However, users may be prompted to grant trust to the new certificate when they connect to JumpCloud managed EAP-PEAP RADIUS servers.
  • If this is your first time configuring a client system for EAP-TTLS/PAP, please instead refer to the following documents for guidance on initial setup:

Mac Setup

Note:

Make sure you have a current RADIUS certificate installed. For more information, see Configure EAP-TTLS/PAP on Mac & iOS for RADIUS.

To update the JumpCloud RADIUS certificate in macOS:

  1. Download the attached .mobileconfig file and open it in a text editor.

Note:
  • The .mobileconfig file contains the updated certificate.
  • This .mobileconfig file is not compatible with iOS/iPadOS. Users on these devices should reconnect to the RADIUS network SSID manually, which will cause a prompt for the user to download and trust the new RADIUS certificate.
  1. Add the Service Set Identifier (SSID) in between the <string> and </string> text on Line 43.
  2. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  3. Go to Device Management > Policy Management
  4. In the All tab, click the plus icon.
  5. On the New Policy panel, select the Mac tab.
  6. Select MDM Custom Configuration Profile policy from the list, then click configure.
  1. (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
  2. In the Settings field, click upload file to upload the modified .mobileconfig file.
  3. (Optional) Select the Device Groups tab. Select one or more device groups where you want to apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
  4. (Optional) Select the Devices tab. Select one or more devices where you want to apply this policy.
  5. Click Save. If prompted, click Save again.

Note:

Windows Setup

Note:

Make sure you have a current RADIUS certificate installed. For more information, see EAP-TTLS/PAP Initial Configuration on Windows for JumpCloud RADIUS clients.

To update the JumpCloud RADIUS certificate in Windows 10:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  2. Go to Device Management > Commands.
  3. In the Commands tab, click the plus icon to create a new command.
  4. In the Details tab, enter a name in the Name field.
  5. In the Name field, enter a name for your command.
  6. In the Type field, select Windows, then select the Windows Powershell checkbox.
  7. In the Command* field, copy and paste the contents of the attached radius_cert_install-2024.ps1 file.

Note:

The new certificate will be downloaded as part of the Powershell process.

  1. In the Event field, select an event type. The standard default is Run Manually.

Note:
  • If using Run Manually, you can click Run Now to immediately execute the command on the device(s), or wait to execute the command.
  • The results of the command execution can be viewed in the Commands > Results tab.
  1. (Optional) Select the Device Groups tab. Select one or more device groups where you want to apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
  2. (Optional) Select the Devices tab. Select one or more devices where you want to apply this policy.
  3. Click Save. If prompted, click Save again.

Alternatively, you can download and import the new certificate manually from the command line, as shown in the following example:

Import-Certificate -FilePath
"C:\Windows\Temp\radius.jumpcloud.com-2024.crt"
-CertStoreLocation Cert:\LocalMachine\Root

Wireless Network Configuration 

To configure your wireless network:

  1. Right-click the wireless network that was previously configured using EAP-TTLS/PAP configuration on Windows for JumpCloud RADIUS clients, then select Properties.
  2. Click the Security tab.
  3. Next to the authentication method, click Settings.
  4. From the Trusted Root Certification Authorities, ensure that both the existing radius.jumpcloud.com and the new imported certificate are selected.
  5. Click OK.

Reference Files

As a reference, the Mac and Windows commands, as well as the new certificate and its signature can be obtained here:

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case