[IMPORTANT] Please note that this site will be disabled on October 31. In it's place, the new JumpCloud Help Center is live! Check it out here!

Support Center

Configuring your WiFi Clients to use JumpCloud RADIUS

Summary


Once you have successfully configured a JumpCloud RADIUS-as-a-Service (RaaS) and your WAP, VPN or router device, you are now ready for client configuration. While RaaS offers both PEAP or EAP-TTLS/PAP authentication, the configurations will vary in WiFi profile. The client supplicant is the software that speaks PEAP or EAP-TTLS to make RADIUS requests via your WiFi access point to authenticate to your JumpCloud RADIUS server. Supplicant software can be integrated into your operating system directly, or it may be supplied by a third-party program. This article will cover the support available for the EAP-TTLS/PAP protocol on common platforms, as well as educate the administrator on the required configuration information for both PEAP and EAP-TTLS/PAP.
 

Configuration


PEAP


In most cases when choosing to use PEAP for your client authentication, no further configuration will be necessary and the users may simply connect to the WAP, VPN or Router device with their JumpCloud credentials.  For some clients and appliances however, if the JumpCloud RaaS server does not auto-negotiate the RADIUS server certificate, then it may need to be manually added into the configuration.  This may be found in the basic settings listed below.

Though no additional configuration should be necessary, here are the basic settings for most operating system and devices:

Service Set Identifier: The WAP SSID created for RADIUS (Refer to Configuring a Wireless Access Point (WAP), VPN or Router for JumpCloud's RADIUS)
Security Type: WPA2 Enterprise
Network Security Protocol: PEAP
Username: The JumpCloud username (do not use the user's email address)
Password: The JumpCloud user password
Inner Authentication: MSCHAPv2
Outer Identity: anonymous
CA Certificates: radius.jumpcloud.com


EAP-TTLS/PAP


In the case of EAP-TTLS/PAP there are several special considerations that must be made for configuration.  When we look at various OS types for our particular setup, we can see a few areas where we’ll need third party software to be able to login. What you need is EAP-TTLS support with tunneled PAP, which is supported as follows:
 
OS Version Support
Microsoft Windows 7, Server 2008 and below Requires third-party supplicant, such as SecureW2™ Enterprise Client or Juniper™ Odyssey™ Client​
Microsoft Windows 8, Server 2012 and higher Support built-in
Mac 10.3 and higher Support built-in (but requires a configuration profile)
Linux Multiple OS Versions Support built-in
  wpa_supplicant Open-source supplicant which may be used if your distribution does not support EAP-TTLS PAP

You’ll notice the specific issue with Windows 7 and Server 2008; those operating systems do not natively support EAP-TTLS.

In almost all cases, EAP-TTLS/PAP will require that a wireless profile be created in order to have your user successfully authenticate with JumpCloud RaaS.  Here are the basic settings that will be required by most client supplicants:

Service Set Identifier: The WAP SSID created for RADIUS (Refer to Configuring a Wireless Access Point (WAP), VPN or Router for JumpCloud's RADIUS)
Security Type: WPA2 Enterprise
Network Security Protocol: EAP-TTLS
Username: The username of the JumpCloud user to authenticate
Password: The password of the JumpCloud user to authenticate
Inner Authentication: PAP
Outer Identity: anonymous
CA Certificates: radius.jumpcloud.com


Resources


When configuring client devices for authentication using EAP-TTLS/PAP, refer to the following articles for specific WiFi profile configuration information for Windows and Apple devices.  

(EAP-TTLS/PAP) Configuring your Windows 8/10 WiFi Clients to use JumpCloud RADIUS
(EAP-TTLS/PAP) Configure your Mac & iOS Devices for JumpCloud RADIUS

For other devices, please refer to your vendor documentation to confirm support and configuration for PEAP or EAP-TTLS/PAP and be sure to include the client security certificate in the configuration if needed. 
 

Last Updated: Oct 13, 2017 11:06AM MDT

Related Articles
desk-forwarding@jumpcloud.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete