{"id":75226,"date":"2023-06-05T13:12:14","date_gmt":"2023-06-05T17:12:14","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&p=75226"},"modified":"2024-02-08T13:30:31","modified_gmt":"2024-02-08T18:30:31","slug":"configure-your-wifi-clients-to-use-radius","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/configure-your-wifi-clients-to-use-radius","title":{"rendered":"Configure your WiFi Clients to use RADIUS"},"content":{"rendered":"\n

Summary<\/h2>\n\n\n\n

Once you have successfully configured a JumpCloud RADIUS-as-a-Service (RaaS) and your WAP, VPN or router device, you are now ready for client configuration. While RaaS offers both PEAP or EAP-TTLS\/PAP authentication, the configurations will vary in WiFi profile. The client supplicant is the software that speaks PEAP or EAP-TTLS to make RADIUS requests via your WiFi access point to authenticate to your JumpCloud RADIUS server. Supplicant software can be integrated into your operating system directly, or it may be supplied by a third-party program. This article will cover the support available for the EAP-TTLS\/PAP protocol on common platforms, as well as educate the administrator on the required configuration information for both PEAP and EAP-TTLS\/PAP.<\/p>\n\n\n\n

Configuration<\/h2>\n\n\n\n

PEAP<\/strong><\/h3>\n\n\n\n

In most cases when choosing to use PEAP for your client authentication, no further configuration will be necessary and the users may simply connect to the WAP, VPN or Router device with their JumpCloud credentials.  For some clients and appliances however, if the JumpCloud RaaS server does not auto-negotiate the RADIUS server certificate, then it may need to be manually added into the configuration.  This may be found in the basic settings listed below.<\/p>\n\n\n\n

Though no additional configuration should be necessary, here are the basic settings for most operating system and devices:<\/p>\n\n\n\n

Service Set Identifier:<\/strong>\u00a0The WAP SSID created for RADIUS (Refer to\u00a0<\/em>Configure a Wireless Access Point (WAP), VPN or Router for JumpCloud’s RADIUS<\/em><\/a>)
Security Type:\u00a0<\/strong>WPA2 Enterprise<\/code>
Network Security Protocol:\u00a0<\/strong>PEAP<\/code>
Username:<\/strong> The JumpCloud username or email address of the user to authenticate<\/em>
Password:<\/strong> The JumpCloud user password<\/em>
Inner Authentication:<\/strong> MSCHAPv2<\/code>
Outer Identity:<\/strong> anonymous<\/em>
CA Certificates:<\/strong> radius.jumpcloud.com<\/a><\/p>\n\n\n\n

EAP-TTLS\/PAP<\/strong><\/h3>\n\n\n\n

In the case of EAP-TTLS\/PAP there are several special considerations that must be made for configuration.  When we look at various OS types for our particular setup, we can see a few areas where we\u2019ll need third party software to be able to login. What you need is EAP-TTLS support with tunneled PAP, which is supported as follows:<\/p>\n\n\n\n

\n
\n \n\n \n \n \n \n \n \n
\n OS <\/th>\n \n Version <\/th>\n \n Support <\/th>\n <\/tr>\n
\n Microsoft Windows <\/td>\n \n 7, Server 2008 and below <\/td>\n \n Requires third-party supplicant, such as\u00a0SecureW2\u2122 Enterprise Client\u00a0or\u00a0Juniper\u2122 Odyssey\u2122 Client\u200b <\/td>\n <\/tr>\n
\n Microsoft Windows <\/td>\n \n 8, Server 2012 and higher <\/td>\n \n Support built-in <\/td>\n <\/tr>\n
\n Mac <\/td>\n \n 10.3 and higher <\/td>\n \n Support built-in (but requires a\u00a0configuration profile) <\/td>\n <\/tr>\n
\n Linux <\/td>\n \n Multiple OS Versions <\/td>\n \n Support built-in <\/td>\n <\/tr>\n
\n \u00a0 <\/td>\n \n wpa_supplicant <\/td>\n \n Open-source supplicant which may be used if your distribution does not support EAP-TTLS PAP <\/td>\n <\/tr>\n <\/table>\n<\/div><\/div>\n\n\n\n

Learn more: RADIUS Technical Considerations and Protocol Support<\/a>
You\u2019ll notice the specific issue with Windows 7 and Server 2008; those operating systems do not natively support EAP-TTLS.<\/p>\n\n\n\n

In almost all cases, EAP-TTLS\/PAP will require that a wireless profile be created in order to have your user successfully authenticate with JumpCloud RaaS.  Here are the basic settings that will be required by most client supplicants:<\/p>\n\n\n\n

Service Set Identifier:<\/strong>\u00a0The WAP SSID created for RADIUS (Refer to\u00a0Configure a Wireless Access Point (WAP), VPN or Router for JumpCloud’s RADIUS<\/a>)
Security Type:<\/strong> WPA2 Enterprise<\/code>
Network Security Protocol:\u00a0<\/strong>EAP-TTLS<\/code>
Username:\u00a0<\/strong>The username or email address of the JumpCloud user to authenticate<\/em>
Password:<\/strong> The password of the JumpCloud user to authenticate<\/em>
Inner Authentication:<\/strong> PAP<\/code>
Outer Identity:<\/strong> anonymous<\/em>
CA Certificates: <\/strong>radius.jumpcloud.com<\/a><\/p>\n\n\n\n

Resources<\/strong><\/h2>\n\n\n\n

When configuring client devices for authentication using EAP-TTLS\/PAP, refer to the following articles for specific WiFi profile configuration information for Windows and Apple devices. \u00a0<\/p>\n\n\n\n