As the internet continues its trend toward ubiquity, the dangers of lackluster network security have become incredibly apparent. This is why so many companies are making the much needed transition from pre-shared key (PSK) authentication to 802.1x authentication using certificates. However, historically this was only possible through the use of expensive on-premise servers, making it difficult for companies to transition to WPA2-Enterprise network security.
How RADIUS Authentication Works at a High Level
Create an Identity Provider in SecureW2
An IDP connects with SecureW2’s onboarding software and confirms the identity of a user. In the future, when a user provides their certificate, their identity is compared against the IDP to confirm they are an approved network user and are authenticated by the RADIUS.
To create an IDP in SecureW2:
- From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
- Click Add Identity Provider.
- For Name, enter a name.
- For Description, enter a description.
- Click the Type dropdown and select SAML.
- Click the Saml Vendor dropdown and select Google Apps.
- Click Save.
How To Use Okta for RADIUS Authentication
By combining Okta identity management and SecureW2’s EAP-TLS certificate solutions, network users can be easily equipped with certificates for RADIUS authentication.
Furthermore, SecureW2 has the industry’s only solution to allow user lookup in cloud directories like Okta. Our Dynamic Cloud RADIUS can make runtime-level policy decisions by referencing user attributes stored in Okta rather than relying on the information stored in a static certificate. Not only does this add an extra layer of authentication protection, it reduces the reliance on extensive certificate management.
Want to learn more about Dynamic Cloud RADIUS? Click here.
Create a SAML Application in Okta
- From your Okta dashboard, go to the Dashboard page.
- Under Shortcuts, click Add Applications.
- Click Create New App.
- In the Create a New Application Integration prompt:
- Click the Platform dropdown and select Web.
- For Sign on method, select the radio button for SAML 2.0.
- Click Create.
- On the 1 General Settings step, for App name, enter a name.
- Click Next.
- In a new browser tab/window, log in to your SecureW2 Management Portal and go to Identity Management > Identity Providers.
- Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
- Select the Configuration tab.
- Copy and paste as follows:
- From SecureW2, copy the information for ACS URL and EntityId, and
- Paste respectively into Okta (2 Configure SAML step) for Single sign on URL and Audience URI (SP Entity ID).
- Click Next.
- On the 3 Feedback step, for Are you a customer or partner?, select the appropriate radio button.
- Click Finish.
Configuring RADIUS Authentication for Okta Users
Now, you need to enter in the RADIUS information. For this guide we are using a Meraki Access Point to show how Cloud RADIUS integrates with an access point. However, Cloud RADIUS is vendor neutral and works with any Enterprise AP vendor.
- Under Wireless, select Access control
- Under Network access change it from the default value of Open (no encryption) to WPA2 Enterprise with “my RADIUS server”
- For the WPA encryption mode, select WPA2 only
- In the Splash page section, leave it set to None (direct access)
You can find the details about your Cloud RADIUS when you go to AAA Management and AAA Configuration. Here you will see a Primary IP Address, Secondary IP Address, Port Number and a Shared Secret.
- Copy the Cloud RADIUS information and paste it back into your Access Point Provider under RADIUS Servers, click the green link to Add a server
- Enter in the Primary IP Address, Port Number, Shared Secret respectively
- You will need to perform the same steps for the Secondary IP Address by entering the Secondary IP Address, Port Number, Shared Secret
- Scroll down and click Save changes
Enrolling BYODs for Okta
SecureW2 automates the device onboarding process for end users with our #1 rated 802.1x onboarding clients (as shown in the section ‘How it Works’), eliminating the risk of user misconfiguration and MITM credential theft.
The SecureW2 solution redirects users to the Okta Single-Sign-On where they enter their credentials, and then SecureW2 enrolls their device for a certificate and configures it for 802.1x.
Now, organizations no longer have to be tied up managing outdated hardware, like their on-premise Active Directory servers. Devices only need to be authenticated once and are set until the certificate expires.
Enrolling Managed Devices for Okta
For managed devices, many organizations with Okta use Microsoft’s MDM, Intune. SecureW2 integrates with Intune through our Gateway APIs. You can use the gateway to push policies and configuration settings onto Intune devices so they can auto-enroll themselves for 802.1x digital certificates automatically, and IT admins don’t need to lift a finger to get managed devices configured for 802.1x. Click here for our Intune integration guide.
RADIUS Authentication with Okta and SecureW2
Using SecureW2, your organization can have a top of the line, RADIUS-backed network fully functional in a matter of hours. Plus an amazing support team that is ready to assist you with any help you may need. We easily work with all cloud-based SAML providers to eliminate any headaches usually associated with integration. We have affordable solutions for organizations of all sizes; check out our pricing here to see if we can be of service.