Generic Guide
PKI Setup
This is a mandatory step.
May be omitted if you are using RADIUSaaS with username/password-based authentication only.
Set up your PKI so that the necessary client authentication certificates are automatically pushed to your endpoint devices.
If you are using any of the below PKIs, please follow the relevant guides instead:
Microsoft Cloud PKITrusted CA(s) Setup
This is a mandatory step.
Tell your RADIUSaaS instance which client authentication certificates will be allowed to authenticate and how to check if those certificates are still valid:
Trusted CertificatesRADIUS Server Certificate Configuration
This is a mandatory step.
For customers that use SCEPman as PKI, we recommend to leverage the SCEPman integration to fully automate the RADIUS Server Certificate lifecycle.
Since endpoint devices will establish a TLS connection to RADIUSaaS during network authentication, RADIUSaaS must present a server certificate to the client (the RADIUS Server Certificate). This certificate can be generated directly from the RADIUSaaS Admin Portal or imported if you already own a suitable certificate (BYO). The same server certificate is also used to secure the RadSec connection to your authenticator devices (WiFi access points, switches, VPN gateways), if applicable.
In case you are happy to use the built-in Customer CA, whose sole purpose it is to issue the RADIUS Server Certificate, no further action is required as part of this step.
In case you'd prefer to bring your own TLS server certificate, issued by your preferred CA, please follow these steps.
Network Equipment Configuration
This is a mandatory step.
RadSec
If your network equipment supports the RadSec protocol, follow below steps:
WiFi Access Points
For some popular vendors, we have prepared representative step-by-step guides on setting up the RadSec connection here. While we are not able to provide documentation for every vendor, in general, the following steps apply:
Import your active RADIUS Server Certificate to your WiFi infrastructure.
Add the CA certificate from which your APs have obtained their RadSec Connection Certificate to your Trusted Ceertificates list as described here.
Create a new RADIUS profile.
Set the IP address and the port of your server in your RADIUS profile. Therefore, use the public RadSec IP address and the standard RadSec port (2083).
Set the Shared Secret to "radsec", if applicable.
Assign the created profile to your SSID(s).
Wired (LAN) Switches
Currently, we have not prepared sample guides for networking switches yet. However, the configuration steps are similar to the ones for WiFi Access Points. In case you face difficulties, please reach out to us.
RADIUS
If your network equipment does not support RadSec, you must first deploy proxies that handle the protocol conversion from RADIUS to RadSec :
Proxy SettingsNext, move on to configuring your equipment:
WiFi Access Points
For some popular vendors, we have prepared representative step-by-step guides here. While we are not able to provide documentation for every vendor, in general, the following steps apply:
Create a new RADIUS profile.
Configure an external RADIUS server:
As server IP address, configure the IP address of your proxy.
Take the shared secret from your Server Settings page.
Configure the standard ports for RADIUS authentication (1812) and accounting (1813 - optional).
Assign the created profile to your SSID(s).
Wired (LAN) Switches
Currently, we have not prepared sample guides for switch appliances yet. However, the configuration steps are similar to the ones for WiFi Access Points. In case you face difficulties, please reach out to us.
MDM Profiles
This is a mandatory step.
For Jamf Pro
We strongly recommend to configure all 802.1X-relevant payloads in a single Configuration Profile in Jamf Pro - and one Configuration Profile per assignment type (Computers, Devices, Users).
Server Certificate
To enable trust between your endpoint devices and the server certificate RADIUSaaS presents upon authentication, configure a trusted certificate profile in your preferred MDM solution. Therefore, first download the Root CA certificate that has issued your currently active RADIUS Server Certificate as described here.
When downloading the relevant certificate, ensure to only download the Root CA certificate of your currently active RADIUS Server Certificate (highlighted in green) - not the entire chain or the RADIUS Server Certificate itself!
Move on to push out this certificate via MDM:
Microsoft Intune
Server TrustJamf Pro
Server TrustWiFi Profile
To configure a WiFi profile in your preferred MDM solution, follow one of these guides:
Microsoft Intune
WiFi ProfileJamf Pro
WiFi ProfileWired (LAN) Profile
To configure a wired (LAN) profile for your stationary devices in your preferred MDM solution, follow one of these guides:
Microsoft Intune
Wired ProfileJamf Pro
Wired ProfilePermissions and Technical Contacts
This is a mandatory step.
First, review your Permissions to ensure the right persons in your organization have the right level of administrative access to your RADIUSaaS instance.
To prevent yourself from being locked out of your RADIUSaaS instance, always ensure that either
at least two user identities or
one service account
are configured as Administrators.
Next, ensure that we are able to contact you in case we have important technical information to share by reviewing the Technical Contacts section.
For us to reliably deliver important information to you via email, always ensure that either
at least two email addresses of individuals or
one shared mailbox / distribution list
are configured.
Rules
This is an optional step.
If you would like to configure additional rules, for example to assign VLAN IDs or limit authentication requests to certain trusted CAs or WiFi access points, please check out the RADIUSaaS Rule Engine.
RulesLast updated
Was this helpful?