Home Knowledge Base Documentation Okta RADIUS Validation with Jamf-Enrolled Certificates

Okta RADIUS Validation with Jamf-Enrolled Certificates

Introduction

SecureW2 provides Dynamic PKI services that enable seamless certificate enrollment and management through the use of integrations with Identity and Device management systems.

A key benefit of this interoperability is the ability to combine multiple sources of truth, to make sure the presence of a certificate means a user/device is truly trustworthy.

In this integration guide, we will show you how to issue certificates using an API integration with Jamf, so we can validate device trust. But we will also validate that the certificate belongs to a trusted user in Okta. This will be achieved by including the user’s email address in our certificate templates, which is used as the key identifier during authentication.

This will enable SecureW2’s Cloud RADIUS to validate users in Okta during network authentication, as well as to validate any other attribute you might want to check, like Group Membership. Based on this validation, Cloud RADIUS either grants or denies network access and assigns the appropriate VLAN to the user’s device.

Prerequisites

The following are the prerequisites for integrating SecureW2’s PKI and Cloud RADIUS services with Jamf and Okta, respectively, for certificate enrollment and RADIUS authentication:

  1. An active account in JoinNow with an Ultimate subscription.
  2. An active subscription in Okta with admin privileges
  3. An active subscription in Jamf with admin privileges

Integrating JoinNow with Jamf for Certificate Enrollment

The following are the high-level steps to configure certificate enrollment with JoinNow:

Creating an Intermediate CA for SCEP Gateway Integration

As a best practice, SecureW2 recommends having a new intermediate CA for JoinNow SCEP Gateway integration with Jamf. The CA that issues certificates to BYOD devices should be separate from the CA that issues certificates to managed devices because managed devices do not require email notifications. You can disable email notifications for the dedicated CA issuing certificates to Jamf-managed devices.

To create a new intermediate CA:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Dynamic PKI > Certificate Authorities.
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. For the Common Name field, enter a name. Recommended name format for easy identification – “myOrgName jamf Intermediate CA”.
  8. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  9. From the Signature Algorithm drop-down list, select the signature algorithm for the certificate signing request. The option available is SHA-256.
  10. In the Validity Period field, enter the validity period for the Intermediate CA in terms of the number of years.
  11. In the Notifications section:

    1. From the Expiry Notification Frequency (in days) drop-down list, select the frequency interval for which a certificate expiration notification should be sent to users.
    2. Select the Notify user on the successful Enrollment checkbox to notify users after a successful enrollment.
    3. If the RFC has a valid email address, the user will receive the certificate-issued or expired notification; otherwise, they will not receive the notification.
  12. In the Revocation section:

    1. In the Revoke Certificate if unused for field, select the number of days after which an unused certificate can be revoked.

      • Since last usage – Select this checkbox to revoke the certificate after a specified number of days if it remains unused.
      • Since certificate issuance – Select this checkbox to revoke the certificate after a specified number of days after it is issued.
    2. From the Reason Code drop-down list, select any one of the following reasons for which the certificate is revoked.

      • Certificate Hold
      • AA Compromise
      • Privilege Withdrawn
      • Unspecified
  13. Click Save. This generates the new intermediate CA.

Creating a Certificate Template for Jamf

A certificate template is a blueprint for attributes that must be encoded on a certificate and the certificate’s intended use case.

To create a Jamf Certificate Template:

  1. Navigate to Dynamic PKI > Certificate Authorities.
  2. Scroll to the Certificate Templates section and click Add Certificate Template.
  3. In the Basic section, enter the name of the certificate template in the Name field.
  4. In the Subject field, enter CN=${/device/clientId:/csr/subject/commonname}. This fetches the common name configured in the Jamf.
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. In the Override Validity Period field, choose a specific date to bypass the validity period.
  8. From the Signature Algorithm drop-down list, select SHA-256 as the signature algorithm for the certificate signing request.
  9. In the SAN section:

    • In the Other Name field, enter ${/device/userDescription:/csr/san/othername}
    • In the RFC822 field, enter ${/device/userDescription:/csr/san/rfc822name}
    • In the DNS field, enter ${/device/buildModel:/csr/san/dnsname}
  10. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  11. Click Save.

Creating a Signing Certificate for Jamf

Jamf requires a signing certificate to sign custom configuration profiles and packages. These profiles are then automatically trusted when installed on managed devices.

The signing certificate can be created from the JoinNow Management Portal using the Create Certificate option.

To create a Jamf signing certificate:

  1. Navigate to Dynamic PKI > Create Certificate.
  2. In the Device Info section, from the Operating System drop-down list, select an operating system.
  3. For User Description, enter a suitable description.
  4. For MAC Address, enter a unique MAC address.
  5. In the Certificate Signing Request section, select the Generate Keypair and CSR option to generate a keypair and CSR file, and create client certificates.
  6. From the Algorithm drop-down list, select RSA.
  7. From the Key Size drop-down list, select 2048.
  8. In the Subject field, enter the common name (the recommended name format for the certificate is “Jamf Signing Certificate”. This helps in easy identification of the CA).
  9. In the Other Name field, enter the same value as in the Subject field. Ignore the other fields.
  10. In the Certificate Issuance Policy section, from the Certificate Authority drop-down list, select the intermediate CA created earlier for issuing certificates to clients using SCEP (refer to the Creating an Intermediate CA for SCEP Gateway Integration section).
  11. From the Use Certificate Template drop-down list, select the certificate template created in Creating a Certificate Template for Jamf.
  12. Select the Include Entire Certificate Chain checkbox. This is mandatory.
  13. In the Distribution section, for the Format field, select PKCS12.
  14. In the Receive via field, select Download.
  15. Click the Create button, and a Password for private key pop-up window opens. Enter the password for the certificate file and click Submit.

 

Creating a Device Management Platform

The SCEP URL serves as an endpoint using which managed devices can connect with the SCEP server and enroll for certificates. The secret is also passed to Jamf’s external CA to authenticate these certificate requests.

A SCEP URL and secret can be generated by creating a Device Management Platform in the JoinNow Management Portal.

Additionally, the tokens created for SCEP Enrollment can be used in Policy Management to assign a user/device role based on the token in the incoming request.

To create a Device Management Platform, perform the following steps:

  1. Navigate to Integrations Hub > Device Management Platforms.
  2. Click Add.
  3. In the Basic section, enter the name of the device management platform in the Name field.
  4. In the Description field, enter the description for the device management platform.
  5. From the Type drop-down list, select SCEP Enrollment Token.
  6. From the Vendor drop-down list, select JAMF.
  7. From the Certificate Authority drop-down list, select the Intermediate CA created in the Creating an Intermediate CA for SCEP Gateway Integration section. If you do not select a CA, by default, the organization CA is chosen.
  8. From the Challenge Type drop-down list, select the Static option.
  9. Click Save. A .csv file containing the API secret and Enrollment URL is downloaded, and the Enrollment URL is displayed on the screen.

    NOTE: Save this file securely. It is downloaded only once during token creation. If you lose it, you can not retrieve the secret.

  10. The page refreshes, and the Attribute Mapping tab is displayed.
  11. Click the Attribute Mapping tab to configure the required attributes for SCEP and click Update.

    NOTE: You can also refer to the steps in Device Management Platform (SCEP Enrollment Token) in the JoinNow MultiOS and Connector Configuration Guide, which is available in the Management Portal.

Policy Management

This section describes the configuration process for different policies concerning certificate enrollment and network access. Through Policy Management, diverse rules can be set for each policy, which helps in selecting the correct certificate template for issuing the appropriate certificate to users. Likewise, Network Policy allows for the configuration of various rules to be applied based on user and device roles during network authentication.

When these rules align with the configured attributes during network authentication, suitable network attributes can be applied to the devices.

Creating a Policy Workflow

To configure a Policy Workflow:

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflow.
  3. In the Basic section, enter the name of the Policy Workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy workflow.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed.
  7. Click the Conditions tab.
  8. From the Core Provider drop-down list, select the Device Management Platform you created earlier.
  9. Click Update.

Creating an Enrollment Policy

To add an Enrollment Policy, perform the following steps:

  1. Navigate to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Click the Conditions tab.
  8. In the Conditions section, from the Role list, select the role policy you created in the Creating a Policy Workflow section.
  9. From the Device Role list, select DEFAULT DEVICE ROLE POLICY.
  10. Select the Settings tab.
  11. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA you created earlier (see the Creating an Intermediate CA for SCEP Gateway Integration section).
  12. From the Use Certificate Template drop-down list, select the template you created earlier (see the Creating a Certificate Template for Jamf section).
  13. In the other settings, retain the default values.
  14. Click Update.

Setting up Certificate Enrollment via SCEP on Jamf

In order to configure a Jamf Profile for the Simple Certificate Enrollment Protocol (SCEP), we need to configure our CA in our Global Management settings.

  1. Log in to the Jamf Pro console.
  2. Navigate to Settings > Global.
  3. Click PKI certificates.
  4. Select the Management Certificate Template tab, select External CA, and click Edit.
  5. Select the Enable Jamf Pro as SCEP Proxy for configuration profiles checkbox.
  6. In the URL field, enter the new SCEP URL you saved in the CSV file.

    NOTE: You can also refer to the steps in Configuring API Tokens (SCEP Enrollment Token) in the JoinNow MultiOS and Connector Configuration Guide available in the Management Portal.
  7. In the Name field, enter the name of the certificate issuing CA created in the JoinNow Management portal.
  8. In the Subject field, enter “CN=$EMAIL”.
  9. From the Subject Alternative Name Type drop-down list, select None.
  10. From the Challenge Type drop-down list, select Static.
  11. In the Challenge and Verify Challenge fields, enter the Secret from the CSV file you downloaded in the Creating a Device Management Platform section.
  12. From the Key Size drop-down list, select 2048. SecureW2 does not recommend selecting 1024.
  13. Click Save.
  14. Under the Signing Certificate section, click Change Signing and CA Certificates to upload the signing certificate you created in Creating a Signing Certificate for Jamf.
  15. Click Next.
  16. On the Enter Password step, enter the password you entered in the Password for private key prompt in the Creating a Signing Certificate for Jamf section when you created the certificate.
  17. Click Next.
  18. On the Choose Certificate step, verify that the correct CA certificate is selected from the Choose Certificate drop-down list and that the correct certificate chain is displayed.
  19. Click Next.
  20. On the Upload CA Certificate step, click Next to skip the upload. The CA certificate is already present in PKCS12.
  21. On the Complete step, click Done.

Configuration Profiles in Jamf Portal

Configuration profiles are XML files that are pushed to end-user devices along with certificates. These configuration files help Jamf MDM effectively manage mobile devices, computers, and users.

This section explains how to set up Jamf configuration profiles for iOS and macOS.

Setting up Jamf Configuration Profiles

This section explains how to set up Jamf configuration profiles for iOS and macOS.

For iOS

To set up a Jamf configuration profile for iOS, perform the following steps:

  1. From your Jamf Pro console, go to Devices > Configuration Profiles.
  2. Click + New.

    NOTE: To update an existing configuration profile, click Edit for the profile.
  3. Select Options > General.
  4. In the Name field, enter a name that can reflect the profile for the specific OS.
  5. In the Description field, enter a descriptive text explaining the purpose of this configuration.
  6. From the Distribution Method drop-down list, select Install Automatically or Make Available in Self-Service.
For macOS

To set up a Jamf configuration profile for macOS:

  1. From your Jamf Pro console, go to Computers > Configuration Profiles.
  2. Click New.

    NOTE: To update an existing configuration profile, click Edit for the profile.
  3. Select Options > General.
  4. In the Name field, enter a name for the OS profile. E.g. MacOS_Office.
  5. In the Description field, enter a description for the configuration profile.
  6. From the Level drop-down list, select Computer Level.
  7. From the Distribution Method drop-down list, select Install Automatically or Make Available in Self Service.

Setting up the JAMF as SCEP Proxy for Configuration Profiles

Jamf can deploy configuration profiles that install certificates for users to access wireless networks. By setting up Jamf as the SCEP proxy in the configuration profile, Jamf communicates with the SCEP server to download and install the certificate directly on macOS or iOS devices.

This section explains how to set up Jamf as SCEP proxy for the iOS and macOS configuration profiles.

To set up Jamf as a SCEP proxy, perform the following steps:

  1. From your Jamf Pro console, go to Options > SCEP. The steps are similar for both the iOS and macOS configuration profiles.
  2. Click Configure.
  3. Select the Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile checkbox.
  4. In the Name field, enter the common name of the intermediate CA that will issue the certificate for the client. The common name can be found in the JoinNow Management Portal.
  5. From the Redistribute Profile drop-down list, select the desired number of days.
  6. In the Subject field, enter a value to help administrators identify the device. You can make this a static value if you wish.

    Examples:
  7. From the Subject Alternative Name Type drop-down list, select the RFC 822 Name option.
  8. In the Subject Alternative Name Value field, use the appropriate variables as required. The recommended attributes are:
    • $UDID
    • $SERIALNUMBER
    • $DEVICENAME
  9. Click Save.
  10. Navigate to the Scope section and update the scope for the devices to which the configuration profile will be pushed.

NOTE: If you want to change Jamf as an SCEP proxy in Settings > Global > PKI Certificates > Management Certificate Template > External CA, first disable the Use the External Certificate Authority settings to enable Jamf Pro as an SCEP proxy for this configuration profile checkbox. If you proceed without disabling this, it will affect the corresponding profile using Jamf as an SCEP proxy.

Setting up the Certificate Payload for RADIUS Connections

This section explains how to set up the certificate payload to validate your RADIUS server. If your RADIUS server certificate also has one or more intermediate CA certificates as part of the certificate chain, you can add those certificates (Root and Intermediate) to this payload.

NOTE: Do not upload the actual RADIUS server certificate here.

This section explains how to set up a Certificate Payload for RADIUS Connections. It applies to both iOS and macOS configuration profiles.

To set up a certificate payload, perform the following steps:

  1. From your Jamf Pro console, go to Devices > Configuration Profiles. Steps 2 to 10 are similar for both the iOS and macOS configuration profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Select Options > Certificate.
  4. Click Configure.
  5. In the Certificate Name field, enter the name of the added certificate. This will be the Common Name (Issued To).
  6. From the Select Certificate Option drop-down list, select Upload.
  7. Click Upload Certificate.
  8. On the Certificate pop-up window, click Choose File and upload the issuing Root CA from the JoinNow Management portal under PKI > Certificate Authorities.
  9. Click Upload.
  10. After uploading the certificate, click Save.

    NOTE: If the setup has more than one RADIUS server for validation, you can add more than one Common Name with the same certificate payload configuration.

Setting up the Wi-Fi Payload

The WiFi profile/payload helps in configuring the device to connect to the preferred secure network. Jamf includes built-in Wi-Fi settings that the admin can configure and deploy to the devices in your organization.
This Wi-Fi profile can be assigned based on different Device users and Device groups.

This section explains how to set up Wi-Fi Payload for iOS and macOS devices.

To set up the Wi-Fi Payload for iOS, perform the following steps:

  1. From your Jamf Pro console, go to Devices > Configuration Profiles. For macOS devices, navigate to Computers > Configuration Profiles > Edit > Options > Network. Steps 4 to 16 are similar for both the iOS and macOS configuration profiles.
  2. Click Edit for the configuration profile you want to configure.
  3. Select Options > Wi-Fi.
  4. Click Configure.
  5. In the Service Set Identifier (SSID) field, enter the name of the secure network.
  6. Select other applicable settings as per the organization’s requirements.
  7. From the Security Type drop-down list, select WPA2 Enterprise (iOS 8 or later except Apple TV).
  8. Under the Network Security Settings section, select the Protocols tab.
  9. In the Accepted EAP Types section, select the TLS checkbox.
  10. Click the Trust tab.
  11. In the Trusted Certificates section, select the checkbox for the certificate you uploaded.

    NOTE: Along with validating a RADIUS server by certificates, specify the RADIUS server certificate names for validation as an additional security measure. This is available in the Wi-Fi payload when the uploaded certificate is enabled.
  12. In the CERTIFICATE COMMON NAME section, click + Add.
  13. In the field that appears, enter the name of the RADIUS server used for validation, and then click Save.
  14. Navigate back to the Protocols tab.
  15. From the Identity Certificate drop-down list, select the CA from the SCEP payload.
  16. Click Save to save the Wi-Fi payload.

When a device successfully enrolls, the Configuration Profiles table shows an increased value for Completed.

Integrating JoinNow with Okta for RADIUS Authentication

The following are the high-level configurations required for setting up RADIUS Authentication in JoinNow via Okta:

Creating an API Token in Okta

Cloud RADIUS talks directly with Okta (no LDAP required) using an API. To create an API Token, perform the following steps:

  1. Log in to the Okta Portal.
  2. On the left pane, from the Security menu, select API.
  3. Select the Tokens tab and on the displayed screen, click the Create token button.
  4. In the Create token dialog box, enter a name for the token.
  5. From the API calls made with this token must originate from drop-down list, select the required API source(s).
  6. Click Create token.
  7. On the displayed screen, copy the token value to your console.

    NOTE: Ensure that you save the token value on your console.

Integrating Okta with SecureW2’s CloudRADIUS

After we’ve created the API Token in Okta, we can configure the policies in the JoinNow Management Portal. These policies validate the certificate each time a Wi-Fi connection request is made, along with the user’s account status in Okta. This ensures that network access is dynamically authorized based on the user’s real-time status in Okta.

Creating a Core Platform

To create a Core Platform, perform the following steps:

  1. Navigate to Integrations Hub > Core Platforms.
  2. Click Add.
  3. In the Basic section, enter the name of the core provider in the Name field.
  4. In the Description field, enter a suitable description for the core provider.
  5. From the Type drop-down list, select Okta Identity Lookup.
  6. Click Save.
  7. The page refreshes and displays the Configuration, Attribute Mapping, and Groups tabs.
  8. Click the Configuration tab.
  9. Under the Configuration section, Okta has two types of configurations available:
    1. Auto – Uses API token to automatically configure lookup with the Okta portal. Generating an API Token needs Super Admin privileges in the Okta Portal.For Auto Configuration:
      1. In the Provider URL field, enter your Okta organization URL. For example, https://dev-123456.okta.com/.

        NOTE: Do not use “admin” in the organization URL, as lookup fails.

      2. In the API Token field, enter the token you obtained from the Okta portal (see the Creating an API Token section).
      3. Click Validate to check the connection with Okta.
      4. Click Update.
    2. For Manual Configuration:
      1. Click on the Manual radio button.
      2. In the Provider URL field, enter the Provider URL of your Okta account. For example, https://dev-123456.okta.com/.
      3. In the Client ID field, enter the client ID obtained from creating a lookup application in Okta.
      4. For the JWKS Key Pair field, click Choose File. Upload the Key Pair file saved from Okta.
      5. Click Update.

NOTE: If the Signal Source is deleted in the JoinNow Management Portal, the SAML app in the Okta portal is also deleted. API Token needs manual deletion.

Configuring Attributes

To add a custom attribute to the Identity Lookup Provider, follow the steps below.

  1. Navigate to Integrations Hub > Core Platforms.
  2. Click the Edit link on the Core Provider created earlier (refer to the Creating a Core Platform section).
  3. Click the Attribute Mapping tab.
  4. From the Attribute Type drop-down, select the category to display the recommended attributes. The following are the attribute types offered by JoinNow for Okta Lookup:
    1. User
    2. Custom
  5. Click Update after selecting the required attributes.
Configuring Groups

Here is where we will map the group attributes we want to use in our network policies.

  1. Navigate to Integrations Hub > Core Platforms.
  2. Click the Edit link on the Signal Source created earlier (refer to the Creating a Core Platform section).
  3. Navigate to the Groups tab.
  4. Click Add.
    1. In the Local Group field, enter a name for the group. This group name can be used to configure network policies.
    2. In the Remote Group field, enter the name of your group as it is configured in the Okta portal.
    3. Click Create.

      NOTE: Repeat the process as required for the groups you wish to create network policies around.

Configuring Policies

The following policies need to be configured:

Configuring a Security Signal Source

Lookup Policies tie our new Signal Source to domains. Here, we will create a condition that ties our domain to the new Signal Source we created in the previous section (see the Creating a Core Platform section).

  1. Navigate to Policy Management > Security Signal Sources.
  2. Click Add Security Signal Source.
  3. In the Basic section, enter the name of the Security Signal Sources in the Name field.
  4. In the Display Description field, enter a suitable description for the Security Signal Sources.
  5. In the Lookup Purpose field, select the RADIUS Authentication checkbox to add the policy to the RADIUS Authentication workflow.
  6. Click Save.
  7. The page refreshes and displays the Conditions and Settings tabs.
  8. Select the Conditions tab.
  9. Under the Conditions section, from the Provider drop-down list, select the management platform created in joinNow in the Creating a Device Management Platform section.
  10. From the Identity drop-down list, select Subject-CommonName under Certificate.
  11. Configure Regex to match the values of your devices configured in the Identity field.
  12. Click Update.
  13. Select the Settings tab.
  14. Under the Settings section, from the Provider drop-down list, select the Signal Source created in the previous section (see the Creating a Core Platform section).
  15. From the Lookup Type drop-down list, select User. From the Identity drop-down list, select Subject-CommonName under Certificate.
  16. Select the Revoke On Failure checkbox to automatically revoke a certificate if an account lookup fails, if necessary.
  17. Click the Validate Configuration button to check if the lookup is valid.
  18. On the Validate Configuration pop-up window, in the Enter a valid identity field, enter the identity (user/device) to validate the lookup, and click Validate.
  19. After the successful validation, the associated attributes and groups of the Signal Source are displayed on the Lookup Details prompt. The admin can use this information to configure the network policies and verify the user’s validity.

    NOTE: When the Admin enters an invalid identity on the Validate Configuration pop-up window, the following error message is displayed: “Account lookup failed.”

  20. Click Update.
Configuring Policy Workflow

Policy workflows will be used by Cloud RADIUS Dynamic Policy Engine to lookup user status at the moment of authentication. Then, Cloud RADIUS can dynamically apply Network policies, which you will configure next.

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflows.
  3. In the Name field, enter the name of the Policy Workflow.
  4. In the Display Description field, enter a suitable description for the Policy  Workflow.

    NOTE: Ensure that you create a separate Policy Workflow for authentication.

  5. Click Save.
  6. The page refreshes and displays the Conditions tab.
  7. Select the Conditions tab.
  8. From the Core Provider drop-down list, select the Okta Identity Lookup Provider created in the previous section (see the Creating a Core Platform section).
  9. Click Update.
Configuring Network Policy

A network Policy specifies how Cloud RADIUS will authorize access to a particular Policy  Workflow.

A typical Network Policy would say something like the following: “If User Role = Staff, authorize access and assign them to VLAN 2.”

You can configure any RADIUS Attribute to be sent to the wireless controller. If you leave the attribute section blank, it will just send an Access Accept message.

To create and configure the Network Policy, follow the steps below:

  1. Navigate to Policy Management > Network.
  2. On the Network page, click Add Network Policy.
  3. In the Basic section, in the Name field, enter the name of the network policy.
  4. In the Display Description field, enter a suitable description for the network policy.
  5. Click Save.
  6. The page refreshes and displays the Conditions and Settings tabs.
  7. Select the Conditions tab.
  8. Select Match All or Match Any based on your requirements to set authentication criteria. In the case explained here, we are selecting Match All.
  9. Click Add rule.
  10. Expand Device and select the Device Role option.
  11. Expand Identity and select the Role option.
  12. Click Save.
  13. The Device Role and Role options appear under the Conditions tab.
  14. From the Device Role drop-down list, select the default device role policy.
  15. From the Role Equals drop-down list, select the Policy Workflow you created earlier (refer to the Configuring Policy Workflow section). You can select multiple Policy Workflows to assign to a Network Policy.

    NOTE: You can assign a network policy to multiple user roles.
  16. Select the Settings tab.
  17. Click Add Attribute.
    1. From the Dictionary drop-down list, select an option: Radius: IETF or Custom.
    2. From the Attribute drop-down list, select an option.
    3. In the Value field, enter the appropriate value for the attribute.
    4. Click Save.
  18. Click Update.

NOTE: Repeat the process for all the attributes you want to send to the Policy Workflow.

More Okta Explainers