RADIUS Technical Considerations and Protocol Support

JumpCloud's cloud-based RADIUS service extends your organization's user JumpCloud credentials to your WiFi and other resources that support the RADIUS protocol. This document will give details on the different options and combinations available for various RADIUS protocols, along with the technical considerations admins need to keep in mind.

RADIUS Client Public IP Considerations 

  • Your public IP can only be used one time in JumpCloud.
    Only public IPv4 is supported. IPv6 is not supported.
    If your public IP Address is dynamic and not statically assigned by your ISP, you will need to update the RADIUS configuration within JumpCloud to reflect the newly assigned IP Address. You may change this either within the Admin Portal or via the API .

Authentication Protocols Supported by JumpCloud 

  • Mutual TLS (mTLS)
    • EAP-TLS
  • TLS encryption
    • PEAPv0 (MSCHAPv2-based)
    • EAP-TTLS/PAP
  • Shared key encryption:
    • EAP-MSCHAPv2
    • MSCHAPv2
    • PAP*

Warning:

Note:

All protocols are always available. The user or admin will configure the device to select a single protocol during the authentication attempts being made to the network. That decision should be based on the desired Multi-Factor Authentication (MFA) or primary Identity Provider (IdP) to be used.

Protocol Support for JumpCloud MFA:

ProtocolMethod
PEAPv0Push
EAP with TTLS/PAPTOTP/Push
EAP-MSCHAPv2Push
MSCHAPv2Push
PAPTOTP/Push
EAP-TLSNone

MFA methods:

  • TOTP: uses an authenticator App (like JumpCloud Protect, Microsoft Authenticator, or Google Authenticator) to generate 6-digit codes
  • Push: uses JumpCloud Protect in-App push notifications
  • We recommend turning on MFA for Radius for VPN. We don’t currently recommend that you enable RADIUS TOTP MFA on your wireless network servers, however JumpCloud Protect Mobile Push can be used on RADIUS VPN servers and wireless network RADIUS servers.

See: JumpCloud MFA Guide.  

Entra ID Delegated Authentication

  • For organizations planning to use Entra ID as their IdP, they need to import those users into JumpCloud and assign them to a User Group that has access to the RADIUS server.
  • When authenticating with Entra ID, the UPN in Entra ID should match the company email address in JumpCloud and the user should be using this attribute for their Radius login.

Protocol Support for Entra ID Delegated Authentication:

ProtocolMFA
EAP with TTLS/PAPNone        
PAPNone

Note:

MFA is not supported when authenticating through an IdP other than JumpCloud, such as Entra ID.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case