Certificate Based Authentication to RADIUS for Admins

JumpCloud RADIUS supports both credential (with a password) and certificate (passwordless) based authentication. Certificate Based Authentication (CBA) is considered the most secure method of authentication, with the least amount of user friction. At this time, JumpCloud is supporting certificates from multiple certificate authorities (CA). JumpCloud RADIUS allows organizations who are already using and managing certificates to import them into JumpCloud and use them for authentication to JumpCloud RADIUS.

Considerations:

  • The certificate functionality allows administrators to use password credentials as a backup to certificates for user login.
  • Using passwords as a backup for certificates gives admins the flexibility to try certificates without relying solely on them. 
  • MFA can be used with password credentials but not with certificates (passwordless).

Provisioning Certificates

  • Certificate Authority and root trust chain
    • JumpCloud offers the flexibility for organizations to import the root trust chain or Certificate Authority (CA) into JumpCloud and use them for authentication to JumpCloud RADIUS for network access.
    • The CA may originate from a 3rd party Certificate Authority (like Globalsign) or a self-signed CA.
    • Certificates can originate from multiple different certificate authorities which will vouch for the origin and good standing of the certificate.
    • JumpCloud has created Powershell scripts to serve as examples of the certificate creation, generation, and import process. See RADIUS Certificate Example Scripts for more information about using the scripts.
  • User Certificate types
    • JumpCloud RADIUS supports three types of User Certificates:
      • Client cert with JumpCloud user email in the subject alternative name
      • Client cert with JumpCloud user email in the subject distinguished name
      • Client cert with JumpCloud username in the common name
    • The user certificates must be installed on the user or local store (for example, the Current User/Personal Store in Windows) of the target device performing the RADIUS access request.
    • The user certificates must have been created with and derived from the CA uploaded on JumpCloud RADIUS.
  • Certificate Status check
    • JumpCloud RADIUS supports validating the good standing of a certificate on every authentication transaction via the Online Certificate Status Protocol (OCSP). The OCSP service providing validation on behalf of the CA must be specified on the User Certificate (authorityInfoAccess field must equal to OCSP followed by the URL identifying the resource that differentiates it from others by using a name, location, or both).

Admin Experience: Authenticating Users with Certificates

  1. In the JumpCloud Admin Portal, go to the User Authentication > RADIUS area and select the green plus (+) button to add a new RADIUS server.
  2. On the Authentication tab, choose JumpCloud as the Identity Provider and under the Authentication Method, click on the Passwordless option.
    • (optional) If desired, select Allow password authentication as an alternative method.
    • Note: If this checkbox is selected, admins can enable certificates for some users while allowing others to continue validating by username and password. Users will continue to have the option to validate by username and password, but once they choose to validate with certificates and a valid certificate is found, the password option will no longer be presented.
    • Once Passwordless has been selected, you will not be able to Save until a certificate has been successfully uploaded (or the authentication method has been changed back to Password).
  1. To upload your certificate, click on the Choose a File button, navigate to the file location, and select it for uploading.
  2. Once the file has uploaded successfully the file name will display on the screen and options will change to replacing or deleting the file. There is also an option to view the full CA chain.
  3. Clicking Save will return the user to the main RADIUS screen, where the Certificate badge will display in the Primary Authentication column.

User Experience
When a user connects to a Wi-Fi device configured to authenticate with a certificate for the first time, the user will be able to select ‘Connect using a certificate’. On subsequent attempts the authentication will be automatic.

Note:

On macOS, users will need to enter their password to allow changes to Certificate Trust Settings, and to sign in and allow access to the “private key,” and should select “Always Allow” when prompted.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case