Subscribe to Help Center RSS FeedOrganizations can enable RADIUS access using Entra ID as the identity provider, which provides the advantage of an organization getting secure RADIUS access through JumpCloud without having to manage users and passwords outside of Entra ID.
This article will provide a high level view of what a new organization needs to do to get authentication with Entra ID working.
Organizations authenticating with Entra ID must use EAP-TTLS/PAP only.
- Learn More: RADIUS Protocol Support
Considerations:
- Entra ID may flag the RADIUS authentication request from JumpCloud RADIUS servers as risky, due to Microsoft Identify Protection being turned on for the Entra ID account or a conditional policy based on the IP address. To suppress the false flag, add JumpCloud RADIUS servers IP server address to the trusted IP list, either by enhancing an existing Entra ID policy or adding a new policy.
- Microsoft KB: Using the location condition in a Conditional Access policy
- Microsoft KB: How To: Investigate risk
- Microsoft KB: Conditional Access: Block access by location
- OpenVPN is only supported with PAP and MSCHAPv2. It is not supported with EAP-PAP/TTLS, so authentication with Entra ID cannot be done with OpenVPN.
Import Users:
In order for RADIUS login with Entra ID credentials to be successful, Entra needs to be authoritative for the user's password. An Entra ID account which is federated with a third party Identity Provider, Microsoft Office, or AD will cause the RADIUS authentication to fail with a sign-in error code of 50126 even if the user or admin enters their username and password correctly. A workaround for this issue is to create an alias user in Entra ID.
- For organizations planning to authenticate with the IdP of Entra ID, those users need to be imported into JumpCloud.
- When authenticating with Entra ID, the UPN in Entra ID should match the company email address in JumpCloud and the user should be using this attribute for their Radius login.
- Entra ID doesn’t pass the user’s password to JumpCloud, so the user remains in a Password Pending status. If an Entra ID organization is using JumpCloud exclusively for RADIUS, admins do not require users to create a password in JumpCloud, so the Password Pending status can be ignored.
- Users come in as a staged state and need to be moved to an active state.
- Learn More: Manage User States
Create a User Group:
- After importing, your users need to be assigned to a User Group that will be granted access to the RADIUS server.
- Learn More: Get Started User Groups
Set up a RADIUS server:
- Add a RADIUS server, and set up authentication with Entra ID as the identity provider.
- Learn More: RADIUS Configuration and Authentication
Configure a Wireless Access Point (WAP):
Set up Client Devices:
- First, establish a secure authentication protocol with EAP-TTLS/PAP
- Learn More: EAP-TTLS/PAP configuration on Mac & iOS Devices for JumpCloud RADIUS
- Learn More: EAP-TTLS/PAP configuration on Windows for JumpCloud RADIUS clients
- Note: Android devices may not require a certificate.
Troubleshooting RADIUS Connections:
- Learn more: Troubleshooting RADIUS Server Authentication
- Once the setup is tested, admins can leverage their existing MDM/UEM to deploy the certificates or profile to their managed devices.
- The transactions will show as interrupted in the Entra ID sign-in log. If Entra ID MFA is enabled, the transaction may show as failed but the RADIUS connection will be successful if the user provides email and password correctly. Entra ID ignores the MFA requirement.
Learn More