RadSec

Configuration Steps

Step 1: RadSec Connection Certificate

This is a mandatory step.

To establish trust between your RadSec-capable network gear and RADIUSaaS, upload the RadSec server certificate as described here.

Your network gear vendor should either provide this certificate or provide guidance on how to create one (CSR or via FQDN).

Step 2: Server Certificate

This is a mandatory step.

Since the endpoint device will establish a TLS tunnel to RADIUSaaS during network authentication, a trusted TLS certificate is required. This can be generated directly from the RADIUSaaS Admin Portal or imported if you already own a suitable certificate.

  1. Create a custom CA or upload your own certificate as described here.

  2. Download the active server certificate as described here. You will need it later on for the Intune device profile.

Please ensure to download the root CA certificate (highlighted in green). This root certificate must later be deployed to your endpoint devices - not the server certificate itself. In case you are using SCEPman to create a server certificate, you probably already have the SCEPman root CA certificate deployed into the trust store of your endpoints.

Step 3: Trusted Roots for Client Authentication

This is a mandatory step.

Tell your RADIUSaaS instance which client authentication certificates will be allowed to authenticate as described:

pageTrusted Roots for Client Authentication

Step 4: Network Gear Configuration

This is a mandatory step.

WiFi Access Points

For some popular vendors, we have prepared representative step-by-step guides here. While we are not able to provide documentation for every vendor, in general, the following steps apply:

  1. Import your active RADIUS Server Certificate to your WiFi infrastructure.

  2. Add the CA certificate from which your APs have obtained their RadSec connection certificate to your RadSec allowed Connection list as described here.

  3. Create a new RADIUS profile.

  4. Set the IP address and the port of your server in your RADIUS profile. Therefore, use the public RadSec IP address and the standard RadSec port (2083).

  5. Assign the created profile to your SSID(s).

Wired (LAN) Switches

Currently, we have not prepared sample guides for switch appliances yet. However, the configuration steps are similar to the ones for WiFi Access Points. In case you face difficulties, please reach out to us.

Step 5: Configure your MDM Deployment Profiles

This is a mandatory step.

For Jamf Pro

We strongly recommend to configure all 802.1X-relevant payloads in a single Configuration Profile in Jamf - and one Configuration Profile per assignment type (Computers, Devices, Users).

Server Certificate

To enable trust between the client and RADIUSaaS, configure a trusted certificate profile in your preferred MDM solution:

Microsoft Intune

pageServer Trust

Jamf Pro

pageServer Trust

WiFi Profile

To configure a WiFi profile in your preferred MDM solution, follow one of these guides:

Microsoft Intune

pageWiFi Profile

Jamf Pro

pageWiFi Profile

Wired (LAN) Profile

To configure a wired (LAN) profile for your stationary devices in your preferred MDM solution, follow one of these guides:

Microsoft Intune

pageWired Profile

Jamf Pro

pageWired Profile

Step 6: Rules

This is an optional step.

If you would like to configure additional rules, for example to assign VLAN IDs or limit authentication requests to certain trusted CA or WiFi access points, please check out the RADIUSaaS Rule Engine.

pageRules
PreviousGetting StartedNextRADIUS

Last updated