Through JumpCloud, your organization can create a cloud RADIUS server without the hassle of physical servers. You can quickly roll out RADIUS service to your organization to securely authenticate users to Wi-Fi, VPNs, switches, and network devices. Organizations can also enable RADIUS access using Entra ID credentials or JumpCloud for the identity provider. When using JumpCloud the authentication method options include a passwordless method using certificates. This article outlines the steps for configuring and authenticating a RADIUS server.
- This document is meant to be used along with:
Adding a RADIUS Server (Details tab)
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to USER MANAGEMENT < RADIUS.
- To create a new RADIUS server configuration, click ( + ). The Details tab displays.
- Configure the RADIUS server:
- In the Server Name field, enter a name for the server. This value is arbitrary.
- In the Shared Secret field, provide a shared secret for the device or service endpoint you're pairing with the RADIUS server.
- Enter one or more public IP address from which your organization's traffic will originate.
- Click Save.
To add multiple IP addresses to the same RADIUS server configuration, click Add IP Address.
Setting up Primary Authentication (Authentication tab)
Step 1 – Choose an Identity Provider
- To select how your users will authenticate into this RADIUS server, click the Authentication tab and choose an Identity Provider from the dropdown menu.
- If the selection is Entra ID, users will be able to access this RADIUS server using their existing Entra ID credentials. MFA cannot be configured when Entra ID is the identity provider.
Important:
- Once Entra ID is selected and confirmed, this selection cannot be changed without deleting this RADIUS configuration and starting over.
- Entra ID doesn’t pass the user’s password to JumpCloud, so the user remains in a Password Pending status. If an Entra ID organization is using JumpCloud exclusively for RADIUS, admins do not require users to create a password in JumpCloud, so the Password Pending status can be ignored.
RADIUS Authentication with Entra ID Credentials
- If the selection is JumpCloud, admins will have the choice of Passwordless or Password for the Authentication Method.
Step 2 – Choose an Authentication Method:
JumpCloud RADIUS supports both credential (with a password) and certificate (passwordless) based authentication. Certificate Based Authentication (CBA) is considered the most secure method of authentication, with the least amount of user friction. Learn More: Certificate Based Authentication to RADIUS for Admins
Password Authentication
- To continue letting users authenticate with their username or email address and password, plus TOTP or PUSH, select Password as the authentication method.
- The MFA Configuration section will be available if using JumpCloud as the Identity Provider, and if Password is selected as the Authentication Method.
- Configure Multi-Factor Authentication (MFA)
- Toggle the MFA Requirement option to Enabled for this server. This option is Disabled by default.
- Select Require MFA on all users or Only require MFA on users enrolled in MFA.
- If selecting Require MFA on all users, a sub-bullet allows for excluding users in a TOTP enrollment period, but this does not apply to JumpCloud Protect (users in a TOTP enrollment period who are successfully enrolled in Protect will still be required to complete MFA).
- If JumpCloud Protect is not yet enabled, users can select the Enable Now link.
Passwordless Authentication
- To use certificate authentication, select Passwordless.
- Once Passwordless has been selected, the Save button will be disabled until a certificate has been successfully uploaded (or the authentication method has been changed back to Password).
- If desired, select Allow password authentication as an alternative method.
- If this checkbox is selected, admins can enable certificates for some users while allowing others to continue validating by username or email address and password. Users will continue to have the option to validate by username or email address and password, but once they choose to validate with certificates and a valid certificate is found, the password option will no longer be presented.
- The MFA Configuration section will be available if using JumpCloud as the Identity Provider, and Passwordless is selected as the Authentication Method, and the Allow password Authentication as an alternative method checkbox is selected.
- Configure Multi-Factor Authentication (MFA)
- Toggle the MFA Requirement option to Enabled for this server. This option is Disabled by default.
- Select Require MFA on all users or Only require MFA on users enrolled in MFA.
- If selecting Require MFA on all users, a sub-bullet allows for excluding users in a TOTP enrollment period, but this does not apply to JumpCloud Protect (users in a TOTP enrollment period who are successfully enrolled in Protect will still be required to complete MFA).
- If JumpCloud Protect is not yet enabled, users can select the Enable Now link.
- Uploading a Certificate Authority
- To upload your certificate, click on the Choose a File button, navigate to the file location, and select it for uploading.
- Once the file has uploaded successfully the file name will display on the screen and options will change to replacing or deleting the file. There is also an option to view the full CA chain.
- Clicking Save will return the user to the main RADIUS screen, where the Certificate badge will display in the Primary Authentication column.
Note: For more information about where and how to find trusted certificates outside of JumpCloud, see the RADIUS-CBA Tools for BYO Certificates white paper (PDF attachment; see files section on right).
Selecting Users for Access to the RADIUS Server (User Groups tab)
- To grant access to the RADIUS server, click the User Groups tab then select the appropriate groups of users you want to connect to the server.
- Every user who is active in that group will be granted access.
- Click Save.
Users who are being granted access to a RADIUS server that will authenticate with the IdP of Entra ID must be imported into JumpCloud and then assigned to a User Group.