JumpCloud's RADIUS-as-a-Service offers an additional method for client desktops, laptops, and mobile devices to verify that they are talking to the correct RADIUS server (so that no one else can pretend to be JumpCloud's RADIUS server). This will prevent clients from trusting other RADIUS servers, and JumpCloud strongly recommends that you leverage the certificate method for this reason. This KB article tells you how to configure your Windows and Mac systems to use JumpCloud's RADIUS certificate.
The certificate is required when EAP-TTLS/PAP is the selected authentication method, and may in some cases be necessary for PEAP clients as well. For most clients using PEAP, the certificate will automatically be procured during the authentication process and the certificate will not be required for authentication.
The new certificate will be installed on July 27, 2023 and is valid until July 10, 2024.
To avoid a service disruption, your certificate must be updated before July 27, 2023.
This Knowledge Base article gives instructions on a streamlined process to deploy the new certificate to both Windows and Mac devices.
- An update is only needed on devices that already have the current JumpCloud RADIUS certificate installed.
- The new certificate can be installed side-by-side with the current (old) certificate. The system will pick the correct certificate as needed.
- Do not remove the current (old) certificate until after it is replaced on July 27, 2023 to avoid any service disruptions during this transition.
- The EAP-PEAP protocol isn’t impacted by certificate expiration. However, users may be prompted to trust the new certificate when they connect to JumpCloud managed EAP-PEAP RADIUS servers.
- If this is your first time configuring a client system for EAP-TTLS/PAP, please instead refer to the following documents for guidance on initial setup:
The following procedure assumes that you have a current RADIUS certificate in-place, following the steps outlined in "EAP-TTLS/PAP configuration on Mac & iOS Devices for JumpCloud RADIUS clients" cited above.
To update the JumpCloud RADIUS certificate in macOS:
- Download the mobileconfig (see JumpCloud+RADIUS+Profile in the files area to the right), and open it in a text editor.
- The mobileconfig file contains the updated certificate.
- This mobileconfig file is not compatible with iOS/iPadOS, instead users on these devices should reconnect to the RADIUS network SSID manually, which will cause a prompt for the user to download and trust the new RADIUS certificate.
- Add the Service Set Identifier (SSID) in between the <string> and </string> text on Line 43.
- In the Admin Portal, go to Policy Management and add a new macOS Policy.
- Select the MDM Custom Profile and upload the modified mobileconfig file.
- Assign this policy to the devices or device groups which need to have access to the network.
- The profile can be uploaded to the MDM of your choice, JumpCloud or otherwise.
- For organizations without an MDM, the profile can be manually installed. Refer to this Apple support article about using configuration profiles for additional details.
The following procedure assumes that you have a current RADIUS certificate in-place, following the steps outlined in "EAP-TTLS/PAP configuration on Windows for JumpCloud RADIUS clients" cited above. Steps may vary depending on your Windows version.
To update the JumpCloud RADIUS certificate in Windows 10:
- In Admin Portal, go to Commands and click the plus icon to create a new command.
- Name your command, and then under Type, select Windows and check the Windows Powershell checkbox.
- Paste the contents of the radius_cert_install.ps1 (see radius_cert_install in the files area to the right) file into the Command field.
The new certificate will be downloaded as part of the Powershell process.
- Choose a Launch Event, or Run Manually is fine.
- Click on the Devices tab and add device(s) to the command.
- If using Run Manually, you can click Run Now to immediately run the command on the device. Or, wait for the condition set in step 4 and the command will execute.
- The results of the command execution can be viewed in the Commands > Results tab.
Alternatively, you can download and import the new certificate manually from the command line, as shown in the following example:
Import-Certificate -FilePath "C:\Windows\Temp\radius.jumpcloud.com-2023.crt" -CertStoreLocation Cert:\LocalMachine\Root
Wireless Network Configuration
To configure your wireless network:
- Right-click the wireless network that was previously configured using EAP-TTLS/PAP configuration on Windows for JumpCloud RADIUS clients, then select Properties.
- Click the Security tab.
- Next to the authentication method, click Settings.
- From the Trusted Root Certification Authorities, ensure that both the existing radius.jumpcloud.com and the new imported certificate are selected.
- Click OK.
As a reference, the new certificate and its signature can be obtained here: