Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

How To Configure WPA2-Enterprise With Okta

Historically, security had to be a trade-off with user experience. The iron-clad security of certificate-based authentication was often dismissed as more work than it was worth. Today, technology has advanced to the point where certificate-based Wi-Fi authentication is not only more secure than credential-based, but it’s a significantly better user experience as well.

In this guide we will show you how to integrate your Okta Identity Provider with SecureW2’s Turnkey PKI and 802.1x Onboarding solution. In less than an hour, your network will be set up with EAP-TLS (802.1x Certificate Authentication), and all end users will have to do is enter their Okta credentials in our dissolvable clients and the software will enroll their device for a certificate and configure it for EAP-TLS WPA2-Enterprise authentication (shown below).

Integration Process Overview

  1. Add an Identity Provider in SecureW2’s Management Portal
    • The Identity Provider provides context that tells the Cloud Connector system how to connect to the Okta user database, verify users, and issue certificates.
  2. Create a SAML Application in Okta to connect SecureW2 certificate issuance services with the IDP
    • When users enter their Okta credentials during the certificate enrollment process, the IDP verifies the user and sends user attributes to SecureW2 via SAML application. Once the attributes have been sent to SecureW2, the user can be issued a customized certificate tied to their identity and their device’s identity.
  3. Configure Attribute Mapping and Upload Okta Metadata
    • Administration can customize the attribute mapping to segment network users into groups. For example, a university would want separate user groups for students and professors, so they configure the attributes to automatically sort users into either of these groups. After mapping attributes, the Okta metadata is uploaded to segment the network.
  4. Update Role and Enrollment Policies
    • With users organized into user groups, you can begin to customize policies that dictate the network user experience. Admins can begin determining which applications, files, websites, and more that each user group should have access to.
  5. Configure SecureW2’s Cloud RADIUS with your Access Points / Wireless Controller
    • Cloud RADIUS comes pre-built for certificates. Here we just need to share a couple of IPs and a shared secret with our Wi-Fi infrastructure

Ready to set it up? Here’s what you need to get started:

  • An active SecureW2 account
  • An active Cloud Connector subscription

Create an Identity Provider in SecureW2

An identity provider (IDP) is the system that proves the identity of a user/device. Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to your Okta user database, verify user credentials, and issue certificates.

To create an IDP in SecureW2:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Identity Management > Identity Providers.
  3. Click Add Identity Provider.

     

  4. Under the Basic section, in the Name field, enter the name of the IdP.
  5. In the Description field, enter a suitable description for the IdP.
  6. From the Type drop-down list, select SAML.
  7. From the SAML Vendor drop-down list, select OKTA.
  8. Click Save.
  9. The page refreshes and displays the Configuration, Attribute Mapping, and Groups tabs.
  10. Under the Configuration tab, select and copy the Entity ID and ACS URL values to your console or clipboard.

Create a SAML Application in Okta

The SAML application is a crucial connection between your IDP and SecureW2. The SAML application allows a user to enter their Okta credentials, which are then passed to their IDP for verification. The IDP verifies the user’s identity and then sends attributes to the SAML application, which then passes the attributes to SecureW2 for certificate issuance.

To create a SAML application in Okta:

  1. Log in to the Okta portal.
  2. Navigate to Applications > Applications.
  3. Click Create App Integration.
  4. In the Create a new app integration pop-up window, select SAML 2.0 as the sign-in method.
  5. Click Next.
  6. Under the General Settings tab, in the App name field, enter a unique name for the application.
  7. Click Next.
  8. Under the Configure SAML tab, in the SAML Settings section, copy the ACS URL value from the JoinNow Management Portal and paste the value in the Single sign-on URL field.
  9. Copy the Entity ID value from the JoinNow Management Portal and paste the value in the Audience URI (SP Entity ID) field.

    NOTE: To obtain the ACS URL and the Entity ID, log in to the JoinNow Management Portal. Navigate to Identity Management > Identity Providers > click the Edit link of the IdP you created and then select the Configuration tab.

  10. Scroll down to the bottom of the page and click Next.
  11. Enter the optional details on the Feedback page and click Finish.

Getting Started with Configuring SecureW2

The Getting Started Wizard creates everything you need for 802.1x. It generates a RADIUS Server, Network Profiles, a Landing Page for Device Onboarding, and all the default network settings you need for 802.1x.

  1. Navigate to Device Onboarding > Getting Started.
  2. On the Quickstart Network Profile generator page, from the Profile Type drop-down list, select a network type.
  3. In the SSID text box, enter an SSID name.
  4. From the Security Type drop-down list, select WPA2-Enterprise.
  5. From the EAP Method drop-down list, select EAP-TLS.
  6. From the Policy drop-down list, retain DEFAULT.
  7. From the Wireless Vendor drop-down list, select a vendor.
  8. From the RADIUS Vendor drop-down list, select a RADIUS vendor.
  9. Click Create. It takes 60-90 seconds for the process to complete.

NOTE: If you have already configured SecureW2 for your network, you may skip this step

Configure an Authentication Policy

To configure an authentication policy, perform the following steps:

  1. Navigate to Policy Management > Authentication Policies.
  2. On the Authentication Policies screen, click the Edit link of the network profile you created earlier (For more information, see: Getting Started with Configuring SecureW2).
  3. Select the Conditions tab and make sure that your network profile is displayed in the Profile field.
  4. Select the Settings tab. In the Settings section, from the Identity Provider drop-down list, select the IdP you created earlier.
  5. Select the Enable User Self Service checkbox, if required.
  6. Click Update.

Configure a Role Policy

To configure a user role policy, perform the following steps:

  1. Navigate to Policy Management > Roles Policies.
  2. On the Role Policies screen, click Add Role.
  3. Under the Basic section, in the Name field, enter the name of the Role policy.

  4. In the Display Description field, enter a suitable description for the Role policy.

  5. Click Save.

  6. The page refreshes and the Conditions tab is displayed.

  7. Select the Conditions tab.

  8. In the Conditions section, from the Identity Provider drop-down list, select the IdP you created earlier (see the Create an Identity Provider in SecureW2 section).

  9. Under the Attributes/Groups section, in the Attribute field, retain ANY.

  10. Click Update.

Configure Attribute Mapping

To configure attribute mapping, perform the following steps:

  1. Log in to the Okta portal.
  2. Navigate to Applications > Applications.
  3. On the Applications page, open the newly created app integration and then click the General tab.
  4. Under the General tab, scroll down to the SAML Settings section and click Edit.
  5. Click Next.
  6. Under the Configure SAML tab, scroll down to the Attribute Statements (optional) section and enter the following attributes in the fields:
    NameValue
    emailuser.email
    firstnameuser.firstname
    lastnameuser.lastname

  7. Scroll down to the Preview the SAML assertion generated from the information above section and click the Preview the SAML Assertion button. The IdP metadata is displayed in a new tab.
  8. Copy the entire content and paste it into a text editor and then save the metadata as a .xml file on your computer.
  9. Next, add the users to the application.
  10. To assign a user to the application, go to Applications > Applications and then select the newly created app.
    1. On the displayed page, click the Assign drop-down menu and select Assign to People.
    2. On the displayed window, click Assign for the corresponding users.
  11. To assign a group to the application, go to Applications > Applications and then select the newly created app.
    1. On the displayed page, click the Assign drop-down menu and select Assign to Groups.
    2. On the displayed window, click Assign for the corresponding groups.
  12. On the JoinNow Management Portal, navigate to Identity Management > Identity Providers and click the Edit link of the IdP you created earlier (see the Create an Identity Provider in SecureW2 section).
  13. Select the Configuration tab.
  14. In the Identity Provider (IDP) Info section, in the Metadata field, click the Upload button to upload the metadata file (.xml).
  15. Click Update.
  16. To configure the JoinNow Management Portal for attribute mapping:
    1. Navigate to Identity Management > Identity Providers and click Edit of the IdP created earlier (see the Create an Identity Provider in SecureW2 section).
    2. Select the Attribute Mapping tab.

    3. Click Add.

    4. On the displayed screen, in the Local Attribute field, enter email.

    5. From the Remote Attribute drop-down list, select User Defined.

    6. In the field next to the Remote Attribute field, enter Email and click Next.

    7. Repeat step 14. through 16. and enter upn in the Local Attribute field and Email in the Remote Attribute field.

    8. Repeat step 14. through 16. and enter displayName in the Local Attribute field and firstName in the Remote Attribute field.

    9. Click Update.

Configure an Enrollment Policy

To configure an enrollment policy, perform the following steps:

  1. Navigate to Policy Management > Enrollment Policies.
  2. On the Enrollment Policies screen, click the Edit link against the DEFAULT ENROLLMENT POLICY 1 or the newly created Okta Policy, and then select the Conditions tab.
  3. In the Conditions section, from the Role list, select DEFAULT ROLE POLICY 1 (For more information, see: Configure a Role Policy).
  4. From the Device Role list, select the DEFAULT DEVICE ROLE POLICY.
  5. Click Update.

Configure SecureW2’s Cloud RADIUS with your Access Points / Wireless Controller

SecureW2 comes built with Cloud RADIUS, a turnkey RADIUS Server designed certificate-based authentication in the cloud. When you use SecureW2’s PKI Services, Cloud RADIUS comes included and works out of the box with the certificates that you generate using SecureW2. All that you need to do, is input a shared secret and IP addresses in your AP / Controller and you’re all set.

Our Cloud RADIUS also has the capability to authenticate dynamically. A Dynamic RADIUS server can communicate with the directory to enforce user and group policies at the time of authentication. Cloud RADIUS is the only RADIUS server that can communicate securely with Cloud Identity Providers and empower organizations with certificate-based authentication. Now you can change users’ permissions and have network security reflect these changes without having to reissue new certificates.

Integrating Cloud RADIUS:

  1. Navigate to AAA management in the JoinNow Management Portal
    1. Locate and save your primary and secondary IP address and shared secret
  2. Navigate to your AP
    1. Create a secure SSID
    2. Input your primary IP and your shared secret
    3. Input your secondary IP and shared secret as a backup radius server

Conclusion

With SecureW2, using your Okta directory for Secure Wi-Fi access is really easy. With our Turnkey Managed PKI, 802.1x Onboarding, and Cloud RADIUS Server you can take advantage of excellent network security alongside an awesome end user experience. Like to learn more? Click here for a pricing estimate that tailors our cost effective solution to your organization’s needs.