Summary
Once you have successfully configured a JumpCloud RADIUS-as-a-Service (RaaS) and your WAP, VPN or router device, you are now ready for client configuration. While RaaS offers both PEAP or EAP-TTLS/PAP authentication, the configurations will vary in WiFi profile. The client supplicant is the software that speaks PEAP or EAP-TTLS to make RADIUS requests via your WiFi access point to authenticate to your JumpCloud RADIUS server. Supplicant software can be integrated into your operating system directly, or it may be supplied by a third-party program. This article will cover the support available for the EAP-TTLS/PAP protocol on common platforms, as well as educate the administrator on the required configuration information for both PEAP and EAP-TTLS/PAP.
Configuration
PEAP
In most cases when choosing to use PEAP for your client authentication, no further configuration will be necessary and the users may simply connect to the WAP, VPN or Router device with their JumpCloud credentials. For some clients and appliances however, if the JumpCloud RaaS server does not auto-negotiate the RADIUS server certificate, then it may need to be manually added into the configuration. This may be found in the basic settings listed below.
Though no additional configuration should be necessary, here are the basic settings for most operating system and devices:
Service Set Identifier: The WAP SSID created for RADIUS (Refer to Configure a Wireless Access Point (WAP), VPN or Router for JumpCloud's RADIUS)
Security Type: WPA2 Enterprise
Network Security Protocol: PEAP
Username: The JumpCloud username or email address of the user to authenticate
Password: The JumpCloud user password
Inner Authentication: MSCHAPv2
Outer Identity: anonymous
CA Certificates: radius.jumpcloud.com
EAP-TTLS/PAP
In the case of EAP-TTLS/PAP there are several special considerations that must be made for configuration. When we look at various OS types for our particular setup, we can see a few areas where we’ll need third party software to be able to login. What you need is EAP-TTLS support with tunneled PAP, which is supported as follows:
OS | Version | Support |
---|---|---|
Microsoft Windows | 7, Server 2008 and below | Requires third-party supplicant, such as SecureW2™ Enterprise Client or Juniper™ Odyssey™ Client |
Microsoft Windows | 8, Server 2012 and higher | Support built-in |
Mac | 10.3 and higher | Support built-in (but requires a configuration profile) |
Linux | Multiple OS Versions | Support built-in |
wpa_supplicant | Open-source supplicant which may be used if your distribution does not support EAP-TTLS PAP |
Learn more: RADIUS Technical Considerations and Protocol Support
You’ll notice the specific issue with Windows 7 and Server 2008; those operating systems do not natively support EAP-TTLS.
In almost all cases, EAP-TTLS/PAP will require that a wireless profile be created in order to have your user successfully authenticate with JumpCloud RaaS. Here are the basic settings that will be required by most client supplicants:
Service Set Identifier: The WAP SSID created for RADIUS (Refer to Configure a Wireless Access Point (WAP), VPN or Router for JumpCloud's RADIUS)
Security Type: WPA2 Enterprise
Network Security Protocol: EAP-TTLS
Username: The username or email address of the JumpCloud user to authenticate
Password: The password of the JumpCloud user to authenticate
Inner Authentication: PAP
Outer Identity: anonymous
CA Certificates: radius.jumpcloud.com
Resources
When configuring client devices for authentication using EAP-TTLS/PAP, refer to the following articles for specific WiFi profile configuration information for Windows and Apple devices.
For other devices, please refer to your vendor documentation to confirm support and configuration for PEAP or EAP-TTLS/PAP and be sure to include the client security certificate in the configuration if needed.