Generic Guide

Configuration Steps

Step 1: PKI Setup

This is a mandatory step.

May be omitted if you are using RADIUSaaS with username/password-based authentication only.

Set up your PKI so that the necessary client authentication certificates are automatically pushed to your endpoint devices.

If you are using any of the below PKIs, please follow the relevant guides instead:

pageMicrosoft Cloud PKI

Step 2: Trusted CA(s) Setup

This is a mandatory step.

Tell your RADIUSaaS instance which client authentication certificates will be allowed to authenticate and how to check if those certificates are still valid:

pageTrusted Certificates

Step 3: RADIUS Server Certificate Configuration

This is a mandatory step.

Since endpoint devices will establish a TLS connection to RADIUSaaS during network authentication, RADIUSaaS must present a server certificate to the client (the RADIUS Server Certificate). This certificate can be generated directly from the RADIUSaaS Admin Portal or imported if you already own a suitable certificate (BYO).

In case you are happy to use the built-in Customer CA, whose sole purpose it is to issue the RADIUS Server Certificate, no further action is required as part of this step.

In case you'd prefer to bring your own TLS server certificate, issued by your preferred CA, please follow these steps.

Step 4: Network Equipment Configuration

This is a mandatory step.

RadSec

If your network equipment supports the RadSec protocol, follow below steps:

WiFi Access Points

For some popular vendors, we have prepared representative step-by-step guides on setting up the RadSec connection here. While we are not able to provide documentation for every vendor, in general, the following steps apply:

  1. Import your active RADIUS Server Certificate to your WiFi infrastructure.

  2. Add the CA certificate from which your APs have obtained their RadSec Connection Certificate to your Trusted Ceertificates list as described here.

  3. Create a new RADIUS profile.

  4. Set the IP address and the port of your server in your RADIUS profile. Therefore, use the public RadSec IP address and the standard RadSec port (2083).

  5. Set the Shared Secret to "radsec", if applicable.

  6. Assign the created profile to your SSID(s).

Wired (LAN) Switches

Currently, we have not prepared sample guides for networking switches yet. However, the configuration steps are similar to the ones for WiFi Access Points. In case you face difficulties, please reach out to us.

RADIUS

If your network equipment does not support RadSec, you must first deploy proxies that handle the protocol conversion from RADIUS to RadSec :

pageProxy Settings

Next, move on to configuring your equipment:

WiFi Access Points

For some popular vendors, we have prepared representative step-by-step guides here. While we are not able to provide documentation for every vendor, in general, the following steps apply:

  1. Create a new RADIUS profile.

  2. Configure an external RADIUS server:

    • As server IP address, configure the IP address of your proxy.

    • Take the shared secret from your Server Settings page.

    • Configure the standard ports for RADIUS authentication (1812) and accounting (1813 - optional).

  3. Assign the created profile to your SSID(s).

Wired (LAN) Switches

Currently, we have not prepared sample guides for switch appliances yet. However, the configuration steps are similar to the ones for WiFi Access Points. In case you face difficulties, please reach out to us.

Step 5: Configure your MDM Deployment Profiles

This is a mandatory step.

For Jamf Pro

We strongly recommend to configure all 802.1X-relevant payloads in a single Configuration Profile in Jamf Pro - and one Configuration Profile per assignment type (Computers, Devices, Users).

Server Certificate

To enable trust between your endpoint devices and the server certificate RADIUSaaS presents upon authentication, configure a trusted certificate profile in your preferred MDM solution. Therefore, first download the Root CA certificate that has issued your currently active RADIUS Server Certificate as described here.

When downloading the relevant certificate, ensure to only download the Root CA certificate of your currently active RADIUS Server Certificate (highlighted in green) - not the entire chain or the RADIUS Server Certificate itself!

Move on to push out this certificate via MDM:

Microsoft Intune

pageServer Trust

Jamf Pro

pageServer Trust

WiFi Profile

To configure a WiFi profile in your preferred MDM solution, follow one of these guides:

Microsoft Intune

pageWiFi Profile

Jamf Pro

pageWiFi Profile

Wired (LAN) Profile

To configure a wired (LAN) profile for your stationary devices in your preferred MDM solution, follow one of these guides:

Microsoft Intune

pageWired Profile

Jamf Pro

pageWired Profile

Step 6: Rules

This is an optional step.

If you would like to configure additional rules, for example to assign VLAN IDs or limit authentication requests to certain trusted CAs or WiFi access points, please check out the RADIUSaaS Rule Engine.

pageRules

Last updated