[IMPORTANT] Please note that this site will be disabled on October 31. In it's place, the new JumpCloud Help Center is live! Check it out here!

Support Center

JumpCloud RADIUS MFA

You can enable Multi-factor Authentication (MFA) for your RADIUS VPN servers. When MFA is enabled on a RADIUS VPN server, users are challenged for a Time-based One-time Password (TOTP) when connecting to that VPN server.

Considerations

  • JumpCloud RADIUS MFA is intended to be used on VPN servers. We don’t currently recommend that you enable RADIUS MFA on your wireless network servers.
  • MSCHAP and EAP-PEAP/MSCHAP2 can’t be used as an authentication method with MFA enabled RADIUS. We recommend using EAP-TTLS/PAP for authentication. We don’t recommend using PAP.
  • Mac and iOS devices require additional software to use EAP-TTLS/PAP authentication for wireless clients. See this KB for more information. 
In this KB:
Configuring RADIUS MFA
 

To configure RADIUS MFA for an existing server:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  2. Go to RADIUS.
  3. Click ( + ). The New RADIUS server panel appears.
  4. Configure Multi-factor Authentication for the RADIUS server:
  • ​Toggle the MFA Enforcement for this RADIUS server is option to On to enable MFA for this server. This option is Off by default.
  • Select Users will be challenged if they have MFA actively set up to require all JumpCloud users with MFA active for their account provide a TOTP code when they connect to this server. 
  • Select Users will be challenged unless they are in active an enrollment period to require all JumpCloud users that aren’t in an MFA enrollment period provide a TOTP code when they connect to this server.
  • Select Users will always be challenged including during an enrollment period to require all JumpCloud users, even those in MFA enrollment periods, provide a TOTP code when they connect to this server.
  1. Click save RADIUS server.



To configure RADIUS MFA for a new server:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  2. Go to RADIUS.
  3. Click ( + ). The New RADIUS server panel appears.
  4. Configure the RADIUS server:
  • Enter a name for the server. This value is arbitrary.
  • Enter a public IP address from which your organization's traffic will originate.
  • Provide a shared secret. This value is shared with the device or service endpoint you're pairing with the RADIUS server.
  1. Configure Multifactor Authentication for the RADIUS server:
  • ​Toggle the MFA Enforcement for this RADIUS server is option to On to enable MFA for this server. This option is Off by default.
  • Select Users will be challenged if they have MFA actively set up to require all JumpCloud users with MFA active for their account provide a TOTP code when they connect to this server. 
  • Select Users will be challenged unless they are in active an enrollment period to require all JumpCloud users that aren’t in an MFA enrollment period provide a TOTP code when they connect to this server.
  • Select Users will always be challenged including during an enrollment period to require all JumpCloud users, even those in MFA enrollment periods, provide a TOTP code when they connect to this server.
  1. To grant access to the RADIUS server, click the User Groups tab, then select the appropriate groups of users you want to connect to the server.
  2. Click save RADIUS server.
 

Connecting to MFA-enabled RADIUS Servers


Users connect to MFA-enabled servers by adding a comma (,) and 6-digit OTP to their JumpCloud password. For example, a user with a password of MyB@dPa33word would enter MyB@dPa33word,123456 for their password. Where 123456 represents the 6-digit OTP that is generated by a TOTP app like Google Authenticator.

Educate your users: How do I connect to a VPN server that requires MFA?



Viewing RADIUS MFA Status

You can see if MFA is enabled for a RADIUS server in the RADIUS list's MFA Status column.

 

Last Updated: Sep 13, 2019 11:34AM MDT

Related Articles
desk-forwarding@jumpcloud.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete