Authenticate to RADIUS with MFA

Use Multi-Factor Authentication (MFA) with JumpCloud to secure user access to your organization’s resources. You can enable MFA for your RADIUS VPN servers. When MFA is enabled on a RADIUS VPN server, users are challenged for a Time-based One-time Password (TOTP) or to use Push when connecting to that VPN server.

Considerations:

Important:

JumpCloud supports the following MFA solutions:

  • TOTP
    • PAP only
  • PUSH
    • PAP
    • EAP-TTLS/PAP
    • EAP-MSCHAPv2
    • EAP-PEAP/MSCHAP2
    • MSCHAP
    • MSCHAPv2

Warning:
  • We recommend using EAP-TTLS/PAP for RADIUS authentication.
  • We do not recommend you use TOTP, because it can only be used with PAP which is an insecure authentication method.
  • Mac and iOS devices require additional software to use EAP-TTLS/PAP authentication for wireless clients. See Configure EAP-TTLS/PAP on Mac and iOS for RADIUS for more information. 
  • JumpCloud Protect Mobile Push can be used on RADIUS VPN servers and wireless network RADIUS servers.
    • JumpCloud Protect Mobile Push can be used as an authentication method for the following RADIUS protocols: EAP-TTLS/PAP, EAP-MSCHAPv2, EAP-PEAP/MSCHAP2, and MSCHAPv2.
  • To learn more about the RADIUS authentication protocols supported by JumpCloud, see RADIUS Protocol Support.

Configuring TOTP MFA on RADIUS Servers

Learn how to add a RADIUS server to your JumpCloud account: RADIUS Configuration and Authentication.

To configure RADIUS MFA for an existing server:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  2. Go to User Authentication > RADIUS.
  3. Select an existing RADIUS server.
  4. Configure TOTP Multi-factor Authentication for the RADIUS server:
    • Toggle the MFA Requirement for this RADIUS Server option to On to enable MFA for this server. This option is disabled by default.
    • Select Require MFA on all users or Only require MFA on users enrolled in MFA.
  5. Click save.

Tip:

The RADIUS MFA settings have been updated from a previous version:

  • Require MFA on all users (previously was Challenge all users, including during an enrollment period)
  • Require MFA on all users, but Exclude users in TOTP Enrollment period (previously was Challenge all users, unless they are in an enrollment period)
  • Only require MFA on users enrolled in MFA (previously was Challenge active TOTP MFA users)

Connecting to TOTP MFA-enabled RADIUS Servers

Users connect to TOTP MFA-enabled servers by adding a comma (,) and 6-digit TOTP to their JumpCloud password. For example, a user with a password of MyB@dPa33word would enter MyB@dPa33word,123456 for their password, where 123456 represents the 6-digit OTP that is generated by a TOTP app like JumpCloud Protect. Educate your users: Set Up an Authenticator App for Your User Account.

Configuring Push MFA on RADIUS Servers

Learn how to add a RADIUS server to your JumpCloud account: RADIUS Configuration and Authentication.

When Push is required on MFA, both TOTP and Push become available; however, only one method of authentication is required.

To configure RADIUS MFA for an existing server:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login .
  2. Go to User Authentication > RADIUS.
  3. Select an existing RADIUS server.
  4. Configure Multi-factor Authentication for the RADIUS server:
    • Toggle the MFA Requirement for this RADIUS server option to Enabled for this server. This option is Disabled by default.
    • Select Require MFA on all users or Only require MFA on users enrolled in MFA.
      • If selecting Require MFA on all users, a sub-bullet allows for excluding users in a TOTP enrollment period, but this does not apply to JumpCloud Protect (users in a TOTP enrollment period who are successfully enrolled in Protect will still be required to complete MFA).
  5. If JumpCloud Protect is not yet enabled, follow the Enable Now link.
  6. Click enable, which will return you to the RADIUS Server Configuration window.
  7. Click save.

Connecting to Push MFA-Enabled RADIUS Servers

Users connect to Push MFA-enabled servers by entering their JumpCloud password. The system will send a push notification to their Protect device and users simply open the notification and tap Yes, Approve to complete the login.

Viewing RADIUS MFA Status

You can see if TOTP MFA is enabled for a RADIUS server in the RADIUS list's MFA Status column.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case