LogoLogo
LogoLogo
  • Welcome
  • Details
  • Configuration
    • Getting Started
      • Generic Guide
      • Scenario-based Guides
        • Microsoft Cloud PKI
        • SCEPman PKI
    • Access Point Setup
      • RadSec
        • Aruba
        • FortiNet
        • Juniper Mist
        • Meraki
        • MikroTik
        • Ruckus
        • UniFi
      • RADIUS
        • ExtremeCloud IQ CoPilot
        • Meraki
        • Sophos UTM
        • UniFi
    • Server Certificate Renewal
  • Admin Portal
    • Home
    • Insights
      • Rule Engine
      • Logs
    • Users
    • Settings
      • Server Settings
      • Trusted Certificates
      • Proxy Settings
      • Permissions
      • User Settings
      • Rules
        • General Structure
        • WiFi
        • LAN
        • VPN
      • Log Exporter
        • Teams
        • Log Analytics
        • Generic Webhook
        • Examples
    • My Invited Users
  • Profile Deployment
    • Microsoft Intune
      • Server Trust
      • WiFi Profile
        • Windows
        • iOS/iPadOS & macOS
        • Android
      • Wired Profile
        • Windows
        • macOS
    • Jamf Pro
      • Server Trust
      • WiFi Profile
      • Wired Profile
    • Google Workspace
      • Server Trust
      • WiFi Profile
  • Other
    • Troubleshooting
    • FAQs
      • General
      • Log & Common Errors
      • MAC Authentication
      • Blast-RADIUS Vulnerability
      • OCSP Soft-fail Consequences
      • Security & Privacy
    • REST API
      • External Monitoring
    • Changelog
  • Licensing
    • Azure Marketplace
  • Support & Service Level
  • RADIUSaaS Website
Powered by GitBook
On this page
  • Configuration steps
  • Step 1: PKI setup
  • Step 2: Trusted CA(s) setup
  • Step 3: RADIUS Server Certificate configuration
  • Step 4: Network equipment configuration
  • Step 5: Configure your MDM profiles
  • Step 6: Rules

Was this helpful?

  1. Configuration
  2. Getting Started

Generic Guide

Last updated 6 months ago

Was this helpful?

Configuration steps

Step 1: PKI setup

This is a mandatory step.

May be omitted if you are using RADIUSaaS with only.

Set up your PKI so that the necessary client authentication certificates are automatically pushed to your endpoint devices.

If you are using any of the below PKIs, please follow the relevant guides instead:

Step 2: Trusted CA(s) setup

This is a mandatory step.

Tell your RADIUSaaS instance which client authentication certificates will be allowed to authenticate and how to check if those certificates are still valid:

Step 3: RADIUS Server Certificate configuration

This is a mandatory step.

Since endpoint devices will establish a TLS connection to RADIUSaaS during network authentication, RADIUSaaS must present a server certificate to the client (the RADIUS Server Certificate). This certificate can be generated directly from the RADIUSaaS Admin Portal or imported if you already own a suitable certificate (BYO). The same server certificate is also used to secure the RadSec connection to your authenticator devices (WiFi access points, switches, VPN gateways), if applicable.

Step 4: Network equipment configuration

This is a mandatory step.

RadSec

If your network equipment supports the RadSec protocol, follow below steps:

WiFi Access Points

  1. Import your active RADIUS Server Certificate to your WiFi infrastructure.

  3. Create a new RADIUS profile.

  5. Set the Shared Secret to "radsec", if applicable.

  6. Assign the created profile to your SSID(s).

Wired (LAN) Switches

RADIUS

Next, move on to configuring your equipment:

WiFi Access Points

  1. Create a new RADIUS profile.

  2. Configure an external RADIUS server:

    • Configure the standard ports for RADIUS authentication (1812) and accounting (1813 - optional).

  3. Assign the created profile to your SSID(s).

Wired (LAN) Switches

Step 5: Configure your MDM profiles

This is a mandatory step.

For Jamf Pro

We strongly recommend to configure all 802.1X-relevant payloads in a single Configuration Profile in Jamf Pro - and one Configuration Profile per assignment type (Computers, Devices, Users).

Server Certificate

When downloading the relevant certificate, ensure to only download the Root CA certificate of your currently active RADIUS Server Certificate (highlighted in green) - not the entire chain or the RADIUS Server Certificate itself!

Move on to push out this certificate via MDM:

Microsoft Intune

Jamf Pro

WiFi Profile

To configure a WiFi profile in your preferred MDM solution, follow one of these guides:

Microsoft Intune

Jamf Pro

Wired (LAN) Profile

To configure a wired (LAN) profile for your stationary devices in your preferred MDM solution, follow one of these guides:

Microsoft Intune

Jamf Pro

Step 6: Rules

This is an optional step.

If you would like to configure additional rules, for example to assign VLAN IDs or limit authentication requests to certain trusted CAs or WiFi access points, please check out the RADIUSaaS Rule Engine.

In case you are happy to use the built-in , whose sole purpose it is to issue the RADIUS Server Certificate, no further action is required as part of this step.

In case you'd prefer to bring your own TLS server certificate, issued by your preferred CA, please follow .

For some popular vendors, we have prepared representative step-by-step guides on setting up the RadSec connection . While we are not able to provide documentation for every vendor, in general, the following steps apply:

Add the CA certificate from which your APs have obtained their RadSec Connection Certificate to your Trusted Ceertificates list as described .

Set the IP address and the port of your server in your RADIUS profile. Therefore, use the and the standard RadSec port (2083).

Currently, we have not prepared sample guides for networking switches yet. However, the configuration steps are similar to the ones for WiFi Access Points. In case you face difficulties, please .

If your network equipment does not support RadSec, you must first deploy proxies that handle the protocol conversion from to :

For some popular vendors, we have prepared representative step-by-step guides . While we are not able to provide documentation for every vendor, in general, the following steps apply:

As server IP address, configure the IP address of your .

Take the shared secret from your page.

Currently, we have not prepared sample guides for switch appliances yet. However, the configuration steps are similar to the ones for WiFi Access Points. In case you face difficulties, please .

To enable trust between your endpoint devices and the server certificate RADIUSaaS presents upon authentication, configure a trusted certificate profile in your preferred MDM solution. Therefore, first download the Root CA certificate that has issued your currently active RADIUS Server Certificate as described .

username/password-based authentication
Microsoft Cloud PKI
Trusted Certificates
here
reach out to us
Proxy Settings
here
reach out to us
Server Trust
Server Trust
WiFi Profile
WiFi Profile
Wired Profile
Wired Profile
Rules
here
Customer CA
these steps
public RadSec IP address
proxy
Server Settings
here
RADIUS
RadSec