FAQ: RADIUS

This may work for some, but not all use cases. JumpCloud uses the public IP address where RADIUS authentication attempts originate to identify them. If WiFi and VPN authentication attempts originate from the same public IP, JumpCloud can’t differentiate between the services.

If you want different users to be able to access each service independently or enable MFA for one and not the other, your network would need an additional public IP address from your ISP. This requires some firewall configuration to send authentication requests for each service from a different public IP.  

EAP-PEAP/MSCHAPv2 is the most common way users connect to JumpCloud-RADIUS-backed networks. When connecting, users will be prompted for their credentials and then asked to manually trust the RADIUS server certificate. They will only be asked to trust the certificate upon the initial connection and not again until the RADIUS server certificate is updated.

EAP-TTLS/PAP requires additional client configuration, which is outlined for both Windows and Apple devices. These profiles are pre-configured with the certificate installed and trusted on the device and also includes the ability to send an Anonymous Outer Identity. Some Linux distributions also only support one or the other.

Outer authentication (PEAP and TTLS) refers to the process of creating a secure tunnel so that the username and password information can be passed. This is done from the client using the server certificate (radius.jumpcloud.com). 

Inner authentication (MSCHAPv2 and PAP) refers to the actual authentication process. Once the secure tunnel is established during the Outer Authentication, the client then securely sends its credentials to the RADIUS server for authentication. 

By default, Apple doesn’t include the Intermediate certificate from GoDaddy. This can be installed via MDM or other means prior to joining the network. It is the GoDaddy Secure Server Certificate (Intermediate Certificate) – G2 (second certificate in the second list): Download GoDaddy Root Certificates | About SSL.

EAP-TLS uses certificates for authentication instead of username and password. This requires a Certificate Authority to generate the client certificate, along with a Root and Intermediate CA which the RADIUS server can validate against. This would most likely require each JumpCloud instance to have its own Certificate Authority for certificate generation. JumpCloud has recently released support for Certificate Based Authentication for RADIUS using the EAP-TLS protocol.

These are settings, that determine the state of the authenticating user. The most common use is setting the VLAN for specific user groups. This action is transparent to the end user and it simply puts them on the VLAN the admin has configured. For more information, see the KB articles:

• Configure RADIUS Reply Attributes for User Groups
• Configure RADIUS Reply Attributes for User Groups in the API

There are thousands of reply attributes. Most of them are Vendor-Specific Attributes (VSAs). These are attributes specific to each hardware vendor: Cisco, HP, Ruckus, Microsoft, and others. VSAs are generally categorized around authorization. Other types of reply attributes can be used to limit session duration or even network bandwidth allocation.

JumpCloud has provided several scripts that can be scheduled (cron job or Task Scheduler) to check for IP address changes and if changed then use the API to update the RADIUS configuration in JumpCloud. These will need to be run from a system that is on that network, so something that is on all the time like a server. There are scripts for both Bash and PowerShell. 

https://github.com/TheJumpCloud/support/tree/master/scripts/api/v1/radius