Generic Guide

Configuration steps

Step 1: PKI setup

This is a mandatory step.

May be omitted if you are using RADIUSaaS with username/password-based authentication only.

Set up your PKI so that the necessary client authentication certificates are automatically pushed to your endpoint devices.

If you are using any of the below PKIs, please follow the relevant guides instead:

Microsoft Cloud PKI

Step 2: Trusted CA(s) setup

This is a mandatory step.

Tell your RADIUSaaS instance which client authentication certificates will be allowed to authenticate and how to check if those certificates are still valid:

Trusted Certificates

Step 3: RADIUS Server Certificate configuration

This is a mandatory step.

Since endpoint devices will establish a TLS connection to RADIUSaaS during network authentication, RADIUSaaS must present a server certificate to the client (the RADIUS Server Certificate). This certificate can be generated directly from the RADIUSaaS Admin Portal or imported if you already own a suitable certificate (BYO). The same server certificate is also used to secure the RadSec connection to your authenticator devices (WiFi access points, switches, VPN gateways), if applicable.

In case you are happy to use the built-in Customer CA, whose sole purpose it is to issue the RADIUS Server Certificate, no further action is required as part of this step.

In case you'd prefer to bring your own TLS server certificate, issued by your preferred CA, please follow these steps.

Step 4: Network equipment configuration

This is a mandatory step.

RadSec

If your network equipment supports the RadSec protocol, follow below steps:

WiFi Access Points

For some popular vendors, we have prepared representative step-by-step guides on setting up the RadSec connection here. While we are not able to provide documentation for every vendor, in general, the following steps apply:

  1. Import your active RADIUS Server Certificate to your WiFi infrastructure.

  2. Add the CA certificate from which your APs have obtained their RadSec Connection Certificate to your Trusted Ceertificates list as described here.

  3. Create a new RADIUS profile.

  4. Set the IP address and the port of your server in your RADIUS profile. Therefore, use the public RadSec IP address and the standard RadSec port (2083).

  5. Set the Shared Secret to "radsec", if applicable.

  6. Assign the created profile to your SSID(s).

Wired (LAN) Switches

Currently, we have not prepared sample guides for networking switches yet. However, the configuration steps are similar to the ones for WiFi Access Points. In case you face difficulties, please reach out to us.

RADIUS

If your network equipment does not support RadSec, you must first deploy proxies that handle the protocol conversion from RADIUS to RadSec :

Proxy Settings

Next, move on to configuring your equipment:

WiFi Access Points

For some popular vendors, we have prepared representative step-by-step guides here. While we are not able to provide documentation for every vendor, in general, the following steps apply:

  1. Create a new RADIUS profile.

  2. Configure an external RADIUS server:

    • As server IP address, configure the IP address of your proxy.

    • Take the shared secret from your Server Settings page.

    • Configure the standard ports for RADIUS authentication (1812) and accounting (1813 - optional).

  3. Assign the created profile to your SSID(s).

Wired (LAN) Switches

Currently, we have not prepared sample guides for switch appliances yet. However, the configuration steps are similar to the ones for WiFi Access Points. In case you face difficulties, please reach out to us.

Step 5: Configure your MDM profiles

This is a mandatory step.

For Jamf Pro

We strongly recommend to configure all 802.1X-relevant payloads in a single Configuration Profile in Jamf Pro - and one Configuration Profile per assignment type (Computers, Devices, Users).

Server Certificate

To enable trust between your endpoint devices and the server certificate RADIUSaaS presents upon authentication, configure a trusted certificate profile in your preferred MDM solution. Therefore, first download the Root CA certificate that has issued your currently active RADIUS Server Certificate as described here.

When downloading the relevant certificate, ensure to only download the Root CA certificate of your currently active RADIUS Server Certificate (highlighted in green) - not the entire chain or the RADIUS Server Certificate itself!

Move on to push out this certificate via MDM:

Microsoft Intune

Server Trust

Jamf Pro

Server Trust

WiFi Profile

To configure a WiFi profile in your preferred MDM solution, follow one of these guides:

Microsoft Intune

WiFi Profile

Jamf Pro

WiFi Profile

Wired (LAN) Profile

To configure a wired (LAN) profile for your stationary devices in your preferred MDM solution, follow one of these guides:

Microsoft Intune

Wired Profile

Jamf Pro

Wired Profile

Step 6: Rules

This is an optional step.

If you would like to configure additional rules, for example to assign VLAN IDs or limit authentication requests to certain trusted CAs or WiFi access points, please check out the RADIUSaaS Rule Engine.

Rules

Last updated