JumpCloud RADIUS Certificate-Based Auth Feature Bulletin Blog

Certificates Enable Passwordless Authentication

Written by Roger Quint and David Worthington on December 14, 2022

Share This Article

Streamlined and unified authentication to all resources is a core feature of JumpCloud’s open directory platform. That capability extends to secure network access into Wi-Fi and VPNs. JumpCloud’s cloud RADIUS service now supports credential-based (password) and certificate-based (passwordless) authentication. 

The combination of these authentication methods addresses the vast majority of risk levels an organization may face. Furthermore, the certificate-based authentication (CBA) approach is considered the most secure and frictionless method available today. JumpCloud’s CBA is consistent with the open directory principles, offering IT and network admins the flexibility to bring your own certificates (BYOC) as well as the future ability to manage certificates within JumpCloud.

What Is RADIUS Certificate-Based Authentication?

RADIUS Certificate-Based Authentication (CBA) is an authentication method that leverages the content of a X.509 compliant certificate to validate the identities of the device and the user requesting access to a network resource. RADIUS CBA obtains the certificate contents from the RADIUS client when a user requests access to an AP (access point) via client PC (RADIUS client). It then validates the standing of the certificate, as well as the certificate trust chain, with the corresponding certificate authority (CA). Finally, RADIUS CBA verifies the user status and access privileges against the JumpCloud Directory before allowing access to the RADIUS resource (typically Wi-Fi or VPN) when the certificate is validated. 

The Benefits of RADIUS CBA

The benefits of CBA are predicated on two fundamental capabilities. First, the ability to positively identify the authenticating party by leveraging the digital private/public key pair technology recognized as the most secure technology in the industry; and second, the ability to authenticate the user bound to the certificate without any input from the user (frictionless). Small and medium-sized enterprises (SMEs) can use CBA to secure and streamline user authentication flows and eliminate the potential for identity silos or duplicate systems.

Key Features of RADIUS CBA

All current cloud RADIUS features are available with the RADIUS CBA release. The following new capabilities are part of this new release:

  • Bring your own certificates (BYOC) – The initial release of RADIUS CBA allows IT administrators to import their certificates into RADIUS for authentication. The certificate lifecycle management and delivery to target endpoints is achieved by tools external to JumpCloud. 
  • Multilayer User Authentication – Before allowing user access, RADIUS CBA authenticates the good standing of a certificate (expiration, origin, and revoke status), compliance to one of three JumpCloud user certificates supported (Email user identifier in Subject Alternative Name field, Email user identifier in Distinguished Name field, or Username user identifier in Common Name field), the user status in JumpCloud directory, and finally the user certificate location (must be located on target client device).
  • Password as an alternative to certificates – RADIUS CBA allows administrators to use credentials as an initial alternative to certificate. This capability enables the gradual migration to certificate based authentication. Users can initially authenticate using their Username/Password then transition to certificates.
  • User groups – The traditional user group association capability and assignment to RADIUS AP is also available with certificates. Groups leverage JumpCloud’s attribute-based access control (ABAC) to automate identity lifecycle management.
  • Consolidated IT infrastructure No additional servers, Windows Server roles, or on-premise infrastructure is required to set up and maintain cloud RADIUS CBA. This lowers IT’s administrative overhead and reduces potential cyberattack surface areas.
  • ​​​​​​​Certificate Status check during Authentication BYOC supports validating the good standing of a certificate on every authentication transaction via the Online Certificate Status Protocol (OCSP). 

The Benefits of RADIUS CBA/BYOC

Certificates may originate from multiple CAs. Organizations that already use and manage certificates can import them into JumpCloud and use them for authentication to JumpCloud RADIUS to secure network access. For more on the JumpCloud CBA, see Certificate-Based Authentication to RADIUS for Admins.

Examples of BYO Certs in Action

When the SME wants its users to authenticate securely and without friction, the administrator:

  • Selects the “passwordless” authentication method
  • Imports the certificate chain, which allows the JumpCloud RADIUS server to challenge the RADIUS client with EAP-TLS mutual authentication. 

The admin can also allow password authentication as a fallback method for those users who have not yet received a certificate.


screenshot of primary authentication

When a user initially connects to a Wi-Fi device configured for JumpCloud RADIUS with certificate authentication (and password as a fallback), they can select “connect using a certificate.” Going forward, authentication to the Wi-Fi AP will happen automatically without any additional input from the user.

screenshot of connecting to RADIUS

JumpCloud’s cloud RADIUS validates the certificate contents provided and checks if the certificate, and user, are in good standing before granting access to the Wi-Fi network.

Try JumpCloud Cloud RADIUS

JumpCloud makes its full open directory platform available as a free trial. Pricing is workflow-based to help SMEs meet their unique requirements versus feature-based SKUs.

Roger Quint
David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter