Organizations can enable RADIUS access using Azure AD as the identity provider, which provides the advantage of an organization getting secure RADIUS access through JumpCloud without having to manage users and passwords outside of Azure AD.
This KB will provide a high level view of what a new organization needs to do to get authentication with Azure AD working.
Considerations:
- Organizations authenticating with Azure AD must use EAP-TTLS/PAP only.
- Learn More: RADIUS Protocol Support
- Azure AD may flag the RADIUS authentication request from JumpCloud RADIUS servers as risky, due to Microsoft Identify Protection being turned on for the Azure AD account or a conditional policy based on the IP address. To suppress the false flag, add JumpCloud RADIUS servers IP server address to the trusted IP list, either by enhancing an existing Azure AD policy or adding a new policy.
- Microsoft KB: Using the location condition in a Conditional Access policy
- Microsoft KB: How To: Investigate risk
- Microsoft KB: Conditional Access: Block access by location
- OpenVPN is only supported with PAP and MSCHAPv2. It is not supported with EAP-PAP/TTLS, so authentication with Azure AD cannot be done with OpenVPN.
Import Users:
In order for RADIUS login with Azure AD credentials to be successful, Azure needs to be authoritative for the user's password. An Azure AD account which is federated with a third party Identity Provider, Microsoft Office, or AD will cause the RADIUS authentication to fail with a sign-in error code of 50126 even if the user or admin enters their username and password correctly. A workaround for this issue is to create an alias user in Azure AD.
- For organizations planning to authenticate with the IdP of Azure AD, those users need to be imported into JumpCloud.
- When authenticating with Azure AD, the UPN in Azure AD should match the company email address in JumpCloud and the user should be using this attribute for their Radius login.
- Azure AD doesn’t pass the user’s password to JumpCloud, so the user remains in a Password Pending status. If an Azure AD organization is using JumpCloud exclusively for RADIUS, admins do not require users to create a password in JumpCloud, so the Password Pending status can be ignored.
- Users come in as a staged state and need to be moved to an active state.
- Learn More: Manage User States
Create a User Group:
- After importing, your users need to be assigned to a User Group that will be granted access to the RADIUS server.
- Learn More: Get Started User Groups
Set up a RADIUS server:
- Add a RADIUS server, and set up authentication with Azure AD as the identity provider.
- Learn More: RADIUS Configuration and Authentication
Configure a Wireless Access Point (WAP):
Set up Client Devices:
- First, establish a secure authentication protocol with EAP-TTLS/PAP
- Learn More: EAP-TTLS/PAP configuration on Mac & iOS Devices for JumpCloud RADIUS
- Learn More: EAP-TTLS/PAP configuration on Windows for JumpCloud RADIUS clients
- Note: Android devices may not require a certificate.
Troubleshooting RADIUS Connections:
- Learn more: Troubleshooting RADIUS Server Authentication
- Once the setup is tested, admins can leverage their existing MDM/UEM to deploy the certificates or profile to their managed devices.
- The transactions will show as interrupted in the Azure AD sign-in log. If Azure AD MFA is enabled, the transaction may show as failed but the RADIUS connection will be successful if the user provides email and password correctly. Azure AD ignores the MFA requirement.