By Rajat Bhargava Posted May 27, 2015
RADIUS is a networking service that authenticates and authorizes users to networks and network infrastructures. RADIUS has become a staple service in organizations that look to provide access via 802.1x port control and wireless networks.
RADIUS works best when it is connected to directory services. RADIUS effectively acts as a proxy for the directory, translating authentication and authorization requests to the directory from network infrastructure. So, when JumpCloud’s customers started asking us to be the backend directory service for their RADIUS infrastructure, it made a lot of sense.
JumpCloud® Takes on RADIUS
Effectively, we made RADIUS another protocol that we support, just as we already support LDAP and SAML among others. Our customers were primarily interested in connecting their WiFi networks to their directory via RADIUS. The benefit of this was to dramatically increase their security by connecting each user to a unique login to the network.
With JumpCloud, your users will be able to use their JumpCloud username and password to authenticate to your network rather than having to worry about some difficult-to-remember (and type) passphrase. You’ll gain the peace of mind that comes from knowing that if a problem arises, you can surgically disable user access at any time. With RADIUS-as-a-Service from JumpCloud, you gain a central point from which you can control WiFi user access across all your WiFi networks, no matter where they are.
When you set up your access point to do WPA2-Enterprise authentication, this allows your client hosts to authenticate through their WiFi control panel rather than through a browser interface. This means that authentication can happen silently, without interrupting your users’ workflow. At the same time, you can rest easy knowing that every login to your network will require the user’s credentials and not just an SSID and passphrase.
Some organizations leverage a captive portal process to gain access. But most captive portals require http traffic (rather than encrypted https) to be able to capture a request and redirect the user. Since most websites have moved to https, it may be difficult at times for users to identify and diagnose the fact that their connection has been disabled and then request an http-only site so they can sign back in. Using WPA2-Enterprise authentication eliminates this issue and will improve your users’ attitudes as a result.
Security All the Way Through
For security, JumpCloud’s RADIUS integration leverages the EAP-TTLS protocol tunneling PAP. This protocol ensures a fully TLS-encrypted pipe between the access point and the RADIUS server. This protocol is a very commonly supported one, which provides the password from the client (such as a mobile phone, or a Windows, macOS, or Linux host), to the access point (also known as the authenticator), and finally to our FreeRADIUS server for authentication with JumpCloud. This gives you end-to-end strong encryption throughout the authentication and authorization process.
From the FreeRADIUS server to JumpCloud, JumpCloud’s REST-based authentication API is TLS-encrypted as well. This brings the benefit of allowing us to easily control which users from your JumpCloud account (controlled via JumpCloud Groups) can authenticate on the WiFi network.
Bring RADIUS to the Cloud
Leveraging RADIUS in conjunction with JumpCloud provides a seamless, secure user experience for those logging onto your wireless network. Your central directory now also controls who has access to your network itself. That’s a strong reason to use JumpCloud’s Directory-as-a-Service® with RADIUS. If you want to learn more about how to step up your wireless security, drop us a line.