Authenticate to RADIUS with MFA

Use Multi-Factor Authentication (MFA) with JumpCloud to secure user access to your organization’s resources. You can enable MFA for your RADIUS VPN servers. When MFA is enabled on a RADIUS VPN server, users are challenged for a Time-based One-time Password (TOTP) or to use Push when connecting to that VPN server.

Considerations:

  • Set up your Push or TOTP MFA for user accounts first:
  • JumpCloud TOTP MFA is intended to be used on RADIUS VPN servers. We don’t currently recommend that you enable TOTP MFA on your wireless network RADIUS servers since enabling this on WiFi might require your users to approve an MFA request multiple times throughout the day (dependent upon the configuration of your network).
    • MSCHAP and EAP-PEAP/MSCHAP2 can’t be used as an authentication method with TOTP MFA enabled RADIUS. We recommend using EAP-TTLS/PAP for authentication. We don’t recommend using PAP because data is unencrypted, and therefore is vulnerable and visible to a bad actor who would be able to view the PPP session.
    • Mac and iOS devices require additional software to use EAP-TTLS/PAP authentication for wireless clients. See Configure EAP-TTLS/PAP on Mac and iOS for RADIUS for more information. 
  • JumpCloud Protect Mobile Push can be used on RADIUS VPN servers and wireless network RADIUS servers.
    • JumpCloud Protect Mobile Push can be used as an authentication method for the following RADIUS protocols: EAP-TTLS/PAP, EAP-MSCHAPv2, EAP-PEAP/MSCHAP2, and MSCHAPv2.
  • To learn more about the RADIUS authentication protocols supported by JumpCloud, see RADIUS Protocol Support.

Configuring TOTP MFA on RADIUS Servers

Learn how to add a RADIUS server to your JumpCloud account: RADIUS Configuration and Authentication.

To configure RADIUS MFA for an existing server:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  2. Go to User Authentication > RADIUS.
  3. Select an existing RADIUS server.
  4. Configure TOTP Multi-factor Authentication for the RADIUS server:
    • Toggle the MFA Requirement for this RADIUS Server option to On to enable MFA for this server. This option is disabled by default.
    • Select Require MFA on all users or Only require MFA on users enrolled in MFA.
  5. Click save.

Tip:

The RADIUS MFA settings have been updated from a previous version:

  • Require MFA on all users (previously was Challenge all users, including during an enrollment period)
  • Require MFA on all users, but Exclude users in TOTP Enrollment period (previously was Challenge all users, unless they are in an enrollment period)
  • Only require MFA on users enrolled in MFA (previously was Challenge active TOTP MFA users)

Connecting to TOTP MFA-enabled RADIUS Servers

Users connect to TOTP MFA-enabled servers by adding a comma (,) and 6-digit TOTP to their JumpCloud password. For example, a user with a password of MyB@dPa33word would enter MyB@dPa33word,123456 for their password, where 123456 represents the 6-digit OTP that is generated by a TOTP app like JumpCloud Protect. Educate your users: Set Up an Authenticator App for Your User Account.

Configuring Push MFA on RADIUS Servers

Learn how to add a RADIUS server to your JumpCloud account: RADIUS Configuration and Authentication.

When Push is required on MFA, both TOTP and Push become available; however, only one method of authentication is required.

To configure RADIUS MFA for an existing server:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login .
  2. Go to User Authentication > RADIUS.
  3. Select an existing RADIUS server.
  4. Configure Multi-factor Authentication for the RADIUS server:
    • Toggle the MFA Requirement for this RADIUS server option to Enabled for this server. This option is Disabled by default.
    • Select Require MFA on all users or Only require MFA on users enrolled in MFA.
      • If selecting Require MFA on all users, a sub-bullet allows for excluding users in a TOTP enrollment period, but this does not apply to JumpCloud Protect (users in a TOTP enrollment period who are successfully enrolled in Protect will still be required to complete MFA).
  5. If JumpCloud Protect is not yet enabled, follow the Enable Now link.
  6. Click enable, which will return you to the RADIUS Server Configuration window.
  7. Click save.

Connecting to Push MFA-Enabled RADIUS Servers

Users connect to Push MFA-enabled servers by entering their JumpCloud password. The system will send a push notification to their Protect device and users simply open the notification and tap Yes, Approve to complete the login.

Viewing RADIUS MFA Status

You can see if TOTP MFA is enabled for a RADIUS server in the RADIUS list's MFA Status column.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case