Help Center Home > Authentication > RADIUS Technical Considerations and Protocol Support

RADIUS Technical Considerations and Protocol Support

JumpCloud's cloud-based RADIUS service extends your organization's user JumpCloud credentials to your WiFi and other resources that support the RADIUS protocol. This document will give details on the different options and combinations available for various RADIUS protocols, along with the technical considerations admins need to keep in mind.

RADIUS Client Public IP Considerations

Your public IP can only be used one time in JumpCloud.
Only public IPv4 is supported. IPv6 is not supported.
If your public IP Address is dynamic and not statically assigned by your ISP, you will need to update the RADIUS configuration within JumpCloud to reflect the newly assigned IP Address. You may change this either within the Admin Portal or via the API .

Authentication Protocols Supported by JumpCloud

Mutual TLS (mTLS)
- EAP-TLS
TLS encryption
- PEAPv0 (MSCHAPv2-based)
- EAP-TTLS/PAP
Shared key encryption:
- EAP-MSCHAPv2
- MSCHAPv2
- PAP*

Warning:

PAP encryption is weak; JumpCloud strongly recommends using protocols other than PAP.
Mac and iOS devices require additional configuration to use EAP-TTLS/PAP authentication for wireless clients.
- See: EAP-TTLS/PAP Initial Configuration on Mac & iOS Devices for JumpCloud RADIUS client

Note:

All protocols are always available. The user or admin will configure the device to select a single protocol during the authentication attempts being made to the network. That decision should be based on the desired Multi-Factor Authentication (MFA) or primary Identity Provider (IdP) to be used.

Protocol Support for JumpCloud MFA:

Protocol	Method
PEAPv0	Push
EAP with TTLS/PAP	TOTP/Push
EAP-MSCHAPv2	Push
MSCHAPv2	Push
PAP	TOTP/Push
EAP-TLS	None

MFA methods:

TOTP: uses an authenticator App (like JumpCloud Protect, Microsoft Authenticator, or Google Authenticator) to generate 6-digit codes
Push: uses JumpCloud Protect in-App push notifications
We recommend turning on MFA for Radius for VPN. We don’t currently recommend that you enable RADIUS TOTP MFA on your wireless network servers, however JumpCloud Protect Mobile Push can be used on RADIUS VPN servers and wireless network RADIUS servers.

See: JumpCloud MFA Guide.

Entra ID Delegated Authentication

For organizations planning to use Entra ID as their IdP, they need to import those users into JumpCloud and assign them to a User Group that has access to the RADIUS server.
- See: Authenticate to RADIUS with Entra ID
When authenticating with Entra ID, the UPN in Entra ID should match the company email address in JumpCloud and the user should be using this attribute for their Radius login.
- See: Configure Real-time User Provisioning from Entra ID

Protocol Support for Entra ID Delegated Authentication:

Protocol	MFA
EAP with TTLS/PAP	None
PAP	None

Note:

MFA is not supported when authenticating through an IdP other than JumpCloud, such as Entra ID.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case

Build the Foundation for a Unified Stack