This may work for some, but not all use cases. JumpCloud uses the public IP address where RADIUS authentication attempts originate to identify them. If WiFi and VPN authentication attempts originate from the same public IP, JumpCloud can\u2019t differentiate between the services.<\/p>\n\n\n\n
If you want different users to be able to access each service independently or enable MFA for one and not the other, your network would need an additional public IP address from your ISP. This requires some firewall configuration to send authentication requests for each service from a different public IP.\u00a0\u00a0<\/p>\n<\/div><\/div><\/div>\n\n\n\n
EAP-PEAP\/MSCHAPv2<\/strong> is the most common way users connect to JumpCloud-RADIUS-backed networks. When connecting, users will be prompted for their credentials and then asked to manually trust the RADIUS server certificate. They will only be asked to trust the certificate upon the initial connection and not again until the RADIUS server certificate is updated.<\/p>\n\n\n\n EAP-TTLS\/PAP<\/strong> requires additional client configuration, which is outlined for both Windows<\/a> and Apple<\/a> devices. These profiles are pre-configured with the certificate installed and trusted on the device and also includes the ability to send an Anonymous Outer Identity. Some Linux distributions also only support one or the other.<\/p>\n\n\n\n With RADIUS, the initial Access-Request sends the username in plaintext. Once the secure EAP tunnel is established, the username is securely sent again along with the password. With an EAP-TTLS profile, you can obscure the username from being sent.<\/p>\n <\/div><\/div><\/div><\/div>\n<\/div><\/div><\/div>\n\n\n\n Outer authentication (PEAP and TTLS) refers to the process of creating a secure tunnel so that the username and password information can be passed. This is done from the client using the server certificate (radius.jumpcloud.com). <\/p>\n\n\n\n Inner authentication (MSCHAPv2 and PAP) refers to the actual authentication process. Once the secure tunnel is established during the Outer Authentication, the client then securely sends its credentials to the RADIUS server for authentication. <\/p>\n<\/div><\/div><\/div>\n\n\n\n By default, Apple doesn\u2019t include the Intermediate certificate from GoDaddy. This can be installed via MDM or other means prior to joining the network. It is the GoDaddy Secure Server Certificate (Intermediate Certificate) \u2013 G2<\/em> (second certificate in the second list): Download\u00a0GoDaddy Root Certificates | About SSL<\/a>.<\/p>\n<\/div><\/div><\/div>\n\n\n\n EAP-TLS uses certificates for authentication instead of username and password. This requires a Certificate Authority to generate the client certificate, along with a Root and Intermediate CA which the RADIUS server can validate against. This would most likely require each JumpCloud instance to have its own Certificate Authority for certificate generation. JumpCloud has recently released support for Certificate Based Authentication for RADIUS<\/a> using the EAP-TLS protocol.<\/p>\n<\/div><\/div><\/div>\n\n\n\n These are settings, that determine the state of the authenticating user. The most common use is setting the VLAN for specific user groups. This action is transparent to the end user and it simply puts them on the VLAN the admin has configured. For more information, see the KB articles:<\/p>\n\n\n\n There are thousands<\/em> of reply attributes. Most of them are Vendor-Specific Attributes (VSAs). These are attributes specific to each hardware vendor: Cisco, HP, Ruckus, Microsoft, and others. VSAs are generally categorized around authorization. Other types of reply attributes can be used to limit session duration or even network bandwidth allocation.<\/p>\n<\/div><\/div><\/div>\n\n\n\n![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\"){kind=icon}
<\/p><\/div>\n