Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

How To Configure WPA2-Enterprise With Okta

Introduction

Historically, security had to be a trade off with user experience. The iron clad security of certificate-based authentication was often dismissed as more work than it was worth. Today, technology has advanced to the point where certificate-based Wi-Fi authentication is not only more secure than credential-based authentication, but it’s also a significantly better user experience.

In this guide we will show you how to integrate your Okta Identity Provider with SecureW2’s Turnkey PKI and 802.1x Onboarding solution. In less than an hour, your network will be set up with EAP-TLS (802.1x Certificate Authentication), and all end users will have to do is enter their Okta credentials in our dissolvable clients. Then, the software will enroll their device for a certificate and configure it for EAP-TLS WPA2-Enterprise authentication (shown below).

Integration Process Overview

  1. Add an Identity Provider in SecureW2’s Management Portal
    • The Identity Provider will give you context that tells the Cloud Connector system how to connect to the Okta user database, verify users, and issue certificates.
  2. Create a SAML Application in Okta to connect SecureW2 certificate issuance services with the IDP
    • When users enter their Okta credentials during the certificate enrollment process, the IDP verifies the user and sends user attributes to SecureW2 via SAML application. Once the attributes have been sent to SecureW2, the user can be issued a customized certificate tied to their identity and their device’s identity.
  3. Configure Attribute Mapping and Upload Okta Metadata
    • Administration can customize the attribute mapping to segment network users into groups. For example, a university would want separate user groups for students and professors, so they configure the attributes to automatically sort users into either of these groups. After mapping attributes, the Okta metadata is uploaded to segment the network.
  4. Update Policy Engine Workflows and Enrollment Policies
    • With users organized into user groups via Policy Engine Workflows, you can begin to customize policies that dictate the type of certificates that can be enrolled into the devices of these users/groups.
  5. Configure SecureW2’s Cloud RADIUS with your Access Points / Wireless Controller
    • With users organized into user groups via Policy Engine Workflows, you can dictate the network user experience by configuring Network Policies. Administrators can define the level of internet and network group access appropriate for each user group. Cloud RADIUS comes pre-built for certificate authentications. CloudRADIUS configuration shares a couple of IPs and a shared secret for your WiFi Controllers to reach out to for authentication.

Prerequisites

The following prerequisites are required to set up SAML authentication in Okta:

  • Active subscription with SecureW2 Cloud Connector.
  • Active subscription to the Okta portal to create SAML apps and user groups.

Creating an Identity Provider in the JoinNow Management Portal

An identity provider (IDP) is the system that proves the identity of a user/device. Adding an IDP in the JoinNow Management Portal tells the Cloud Connector system how to connect to your Okta to verify user credentials for certificate issuance.

To add an IDP in SecureW2:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Identity Management > Identity Providers.
  3. Click Add Identity Provider.
  4. Under the Basic section, in the Name field, enter the name of the IDP.
  5. In the Description field, enter a suitable description for the IDP.
  6. From the Type drop-down list, select SAML.
  7. From the SAML Vendor drop-down list, select OKTA.
  8. Click Save.
  9. The page refreshes and displays the Configuration, Attribute Mapping, and Groups tabs.
  10. Select the Configuration tab.
  11. Under the Service Provider (SP) Info section, copy the Entity ID and ACS URL values to your clipboard.

Creating a SAML Application in Okta

The SAML application is a crucial connection between your IDP and SecureW2. The SAML application allows a user to enter their Okta credentials, which are then passed to their IDP for verification. The IDP verifies the user’s identity and then sends attributes to the SAML application, which then passes the attributes to SecureW2 for certificate issuance.

To create a SAML application in Okta:

  1. Log in to the Okta portal.
  2. Navigate to Applications > Applications.
  3. Click Create App Integration.
  4. In the Create a new app integration pop-up window, select SAML 2.0 as the sign-in method.
  5. Click Next.
  6. Under the General Settings tab, in the App name field, enter a unique name for the application.
  7. Click Next.
  8. Under the Configure SAML tab, in the SAML Settings section, copy the ACS URL value from the JoinNow Management Portal and paste the value in the Single sign-on URL field (refer to the Creating an Identity Provider in the JoinNow Management Portal section, step 11).
  9. Copy the Entity ID value from the JoinNow Management Portal and paste the value in the Audience URI (SP Entity ID) field (refer to the Creating an Identity Provider in the JoinNow Management Portal section, step 11).
  10. Scroll down to the bottom of the page and click Next.
  11. Enter the optional details on the Feedback page and click Finish.

Configuring Attribute Mapping in the JoinNow Management Portal

Attribute mapping defines the attributes provided by your IDP, which are used to segregate users and their roles. Once your IDP identifies a user, it sends the attributes to your SAML application, which then sends them to the JoinNow Management Portal.

To map attributes in the JoinNow Management Portal, we first need to create attributes in the Okta portal. These remote attributes are then passed to the JoinNow Management Portal, which is mapped to the Local attributes and can be used in the Certificate Template creation.

To map attributes in the SAML provider, perform the following steps:

  1. Log in to the Okta portal.
  2. Navigate to Applications > Applications.
  3. On the Applications page, open the newly created app integration and then click the General tab.
  4. Under the General tab, scroll down to the SAML Settings section and click the Edit link.
  5. Click Next.
  6. Under the Configure SAML tab, scroll down to the Attribute Statements (optional) section and enter the following attributes in the fields:
    NameValue
    emailuser.email
    firstnameuser.firstname
    lastnameuser.lastname

  7. Scroll down to the Preview the SAML assertion generated from the information above section and click the Preview the SAML Assertion button. The IdP metadata is displayed in a new tab.
  8. Copy the entire content, paste it into a text editor, and then save the metadata as a .xml file on your computer. You can use this metadata to integrate the JoinNow Management Portal with Okta.
  9. To configure the JoinNow Management Portal for attribute mapping:
    1. Navigate to Identity Management > Identity Providers and click the Edit link of the IDP you created earlier (refer to the Creating an Identity Provider in the JoinNow Management Portal section).
    2. Select the Attribute Mapping tab and then click Add.
    3. In the Local Attribute field, enter email as the name of the variable.
    4. From the Remote Attribute drop-down list, select Email.
    5. Click Next.
    6. Click Add.
    7. In the Local Attribute field, enter upn as the name of the variable.

      NOTE: User Principal Name (upn) is the first thing authenticated against the RADIUS server. This is useful when a user connects to your network and wants to use the eduroam because then it can find the name of the university in the email address.

    8. From the Remote Attribute drop-down list, select User Defined. Enter Email in the field that appears next to the Remote Attribute field.
    9. Click Next.
    10. Click Add.
    11. In the Local Attribute field, enter displayName as the variable’s name.
    12. From the Remote Attribute drop-down list, select User Defined. Enter FirstName in the field that appears next to the Remote Attribute field.
    13. Click Next.
    14. Click Update.

Configuring the IDP with Okta Metadata

To upload the Okta metadata to the JoinNow Management Portal:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Identity Management > Identity Providers.
  3. On the Identity Providers page, click the Edit link for the IDP you created earlier (refer to the Creating an Identity Provider in the JoinNow Management Portal section).
  4. Select the Configuration tab.
  5. Under the Identity Provider (IDP) Info section, in the Metadata field, click the Choose file button to upload the metadata file obtained from Okta (refer to the Configuring Attribute Mapping in the JoinNow Management Portal section, step 8).
  6. Click Upload and then click Update.

Adding Users to the SAML Application

To assign a user to the application:

  1. Log in to the Okta portal.
  2. Navigate to Applications > Applications and then select the newly created app (refer to the Creating a SAML Application in Okta section).
    1. Under the Assignments tab, from the Assign drop-down menu, click Assign to People.
    2. On the pop-up window, click Assign for the corresponding users.

Configuring Group Mapping in the JoinNow Management Portal

  1. To create a group in the Okta portal:
    1. Log in to the Okta portal.
    2. Navigate to Directory > Groups and click Add group to create a group.
  2. To assign a group to the application:
    1. Navigate to Applications > Applications and then select the newly created app (refer to the Creating a SAML Application in Okta section).
    2. Under the Assignments tab, from the Assign drop-down menu, click Assign to Groups.
    3. On the pop-up window, click Assign for the corresponding groups.

  3. To add and map the available groups, perform the following steps:
    1. Navigate to Identity Management > Identity Providers and click the Edit link of the IDP you created earlier (refer to the Creating an Identity Provider in the JoinNow Management Portal section).
    2. Select the Groups tab and then click Add.
    3. In the Local Group field, enter a name for the group. This group name can be used to configure the Network Policies.
    4. In the Remote Group field, enter the name of your group as it is configured in the Okta portal.
    5. Click Create.
    6. Repeat as necessary for any group you wish to create Network Policies around.
    7. Click Update.

Configuring Policies in the JoinNow Management Portal

SecureW2 PKI supports integration with Okta using SAML to authenticate users and issue certificates based on policies configured in the JoinNow Management Portal. The following policy components must be set up: the Authentication Policy for SAML-based user authentication, the Policy Engine Workflow to categorize users and devices, and the Enrollment Policy to manage certificate issuance.

The Authentication Policy links the Identity Provider to the network profile and is required to authenticate users with the specified Identity Provider. The Policy Engine Workflow allows you to define and create roles based on attributes and groups retrieved from the Identity Provider. These roles can then be assigned a unique Enrollment Policy for certificate issuance and used to trigger a Network Policy.

Configuring an Authentication Policy

An Authentication Policy can be created from the Authentication Policies page. If you’ve already set up an authentication policy through Getting Started, you can either edit it with the required values or create a new one.

To create a new Authentication Policy, perform the following steps:

  1. Navigate to Policy Management > Authentication Policies.
  2. On the Authentication Policies page, click Add Authentication Policy.
  3. In the Basic section, enter the name of the Authentication Policy in the Name field.
  4. In the Display Description field, enter a suitable description for the Authentication Policy.
  5. Click Save.
  6. Click the Conditions tab.
  7. In the Profile drop-down list, ensure that your network profile is selected.
  8. Select the Settings tab.
  9. From the Identity Provider drop-down list, select the IDP you created earlier (refer to the Creating an Identity Provider in the JoinNow Management Portal section).
  10. Select the Enable User Self Service checkbox, if required.
  11. Click Update.

Configuring a Policy Engine Workflow

To add a Policy Engine Workflow in the JoinNow Management Portal, perform the following steps:

  1. Navigate to Policy Management > Policy Engine Workflows.
  2. Click Add Policy Engine Workflows.
  3. In the Basic section, enter the name of the policy engine workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy engine workflow.
  5. Click Save.
  6. Select the Conditions tab.
  7. From the Identity Provider drop-down list, select the IDP that you created earlier (refer to the Creating an Identity Provider in the JoinNow Management Portal section).
  8. In the Groups field, select the group that you want to apply this Policy Engine Workflow to. The group names that show up here are the Local Groups that we configured previously while configuring the Identity Management menu (refer to the Configuring Group Mapping in the JoinNow Management Portal, step 3 section).
  9. Click Update.

Creating an Enrollment Policy

To configure an enrollment policy, perform the following steps:

  1. Navigate to Policy Management > Enrollment Policies.
  2. Click Add Enrollment Policy.
  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Role list, select the role policy you created earlier (see the Configuring a Policy Engine Workflow section).
  9. From the Device Role list, select DEFAULT DEVICE ROLE POLICY.
  10. Click Update.

Creating a Network Policy

A Network Policy helps to configure various network attributes and connection permissions based on the roles and groups defined in the Policy Engine Workflow.

To configure the Network Policy, perform the following steps:

  1. Navigate to Policy Management > Network Policies.
  2. Click Add Network Policy.
  3. In the Basic field, enter the name of the network policy in the Name field.
  4. In the Display Description field, enter the suitable description for the network policy.
  5. Click Save.
  6. The page refreshes and displays the Conditions and Settings tabs.
  7. Select the Conditions tab.
  8. Select Match All or Match Any based on your requirement to set authentication criteria. In the case explained here, we are selecting Match All.
  9. Click Add rule.
  10. Expand Identity and select the Role option.
  11. Click Save.
  12. The Role option appears under the Conditions tab.
  13. From the Role Equals drop-down list, select the Policy Engine Workflow you created earlier (refer to the Configuring a Policy Engine Workflow section). You can select multiple Policy Engine Workflows to assign to a Network Policy.
  14. Select the Settings tab.
  15. Click Add Attribute.
    1. From the Dictionary drop-down list, select an option: Radius:IETF or Custom.
    2. From the Attribute drop-down-list, select any of the following options:
      1. Framed-Protocol
      2. Framed-IP-Address
      3. Framed-IP-NetMask
      4. Framed-Routing
      5. Filter-Id
      6. Framed-MTU
      7. Framed-Compression
      8. Reply-Message
      9. Framed-Route
      10. Framed-IPX-Network
      11. State
      12. Class
      13. Session-Timeout
      14. Tunnel-Type
      15. Tunnel-Medium-Type
      16. Tunnel-Private-Group-ID
      17. Framed-Pool
    3. In the Value field, enter the appropriate value for the attribute.
    4. Click Save.

Configure SecureW2’s Cloud RADIUS with your Access Points / Wireless Controller

SecureW2 is built in with Cloud RADIUS, a turnkey RADIUS Server designed for certificate-based authentication in the cloud. When you use SecureW2’s PKI Services, Cloud RADIUS comes included and works out of the box with the certificates that you generate using SecureW2. All that you need to do is input a shared secret and IP addresses in your AP/Controller and you’re all set.

Our Cloud RADIUS also has the capability to authenticate dynamically. A Dynamic RADIUS server can communicate with the Identity Provider to enforce user and group policies at the time of authentication. Cloud RADIUS is the only RADIUS server that can communicate securely with Cloud Identity Providers and empower organizations with certificate-based authentication. Now, you can change users’ permissions and have network security reflect these changes without having to reissue new certificates.

Integrating Cloud RADIUS Server

The network SSID for onboarding the users should be configured to point to SecureW2 CloudRADIUS for RADIUS authentication.

  1. Navigate to your Access Point.
  2. Create a secure SSID with an appropriate name, and configure the redirect URL with the Securew2 landing page, such as https://cloud.securew2.com/public/52094/Secure_Wifi/
  3. Use the Primary IP Address, Secondary IP Address, and Shared Secret values from RADIUS Configuration in the JoinNow Management Portal to set up the RADIUS Server on the Access Point.

Sample Flow for Configuring the RADIUS Server in Meraki

To set up RADIUS servers:

  1. Navigate to Wireless > Access Control.
  2. From the SSID drop-down list, select the required SSID.
  3. In the Network access section, select the Open (no encryption) radio button.
  4. Scroll down to the Splash page section and select the Sign-on with radio button.
  5. From Sign-on with drop-down list, select my RADIUS server.
  6. In the RADIUS for splash page section, click Add a server.
  7. Navigate to RADIUS > RADIUS Configuration in the JoinNow Management Portal. Copy the values from the Primary IP Address, Authentication Port, and Shared Secret values.
  8. Paste the Host (IP Address), Port (Authentication Port), and Secret values in the Meraki Portal.
  9. From the Walled garden drop-down list, select Walled garden is enabled.
  10. In the Walled garden ranges field, enter *.securew2.com

  11. Scroll to the bottom of the page and click Save Changes.
  12. To configure the redirect URL:
    1. Navigate to Wireless > Splash Page.
    2. Under Custom splash URLs, select the Or provide a URL where users will be redirected radio button and enter the Securew2 landing page.
    3. Scroll to the bottom of the page and click Save Changes.

Conclusion

The enrolled users, devices, and their details can be tracked on the Devices page in the JoinNow Management Portal (navigate to Data and Monitoring > Devices).

Wi-Fi Authentication events of the users are available on the RADIUS Events page. To access the RADIUS Events page, log in to the JoinNow Management Portal and navigate to Data and Monitoring > RADIUS Events.

With SecureW2, using your Okta directory for Secure Wi-Fi access is really easy. With our Turnkey Managed PKI, 802.1x Onboarding, and Cloud RADIUS Server you can take advantage of excellent network security alongside an awesome end user experience. Like to learn more? Click here for a pricing estimate that tailors our cost effective solution to your organization’s needs.