How To Configure WPA2-Enterprise With Okta

Historically, security had to be a trade-off with user experience. The iron-clad security of certificate-based authentication was often dismissed as more work than it was worth. Today, technology has advanced to the point where certificate-based Wi-Fi authentication is not only more secure than credential-based, but it’s a significantly better user experience as well.

In this guide we will show you how to integrate your Okta Identity Provider with SecureW2’s Turnkey PKI and 802.1x Onboarding solution. In less than an hour, you network will be setup with EAP-TLS (802.1x Certificate Authentication), and all end users will have to do is enter their Okta credentials in our dissolvable clients and the software will enroll their device for a certificate and configure it for EAP-TLS WPA2-Enterprise authentication (shown below).

Integration Process Overview

  1. Add an Identity Provider in SecureW2’s Management Portal
    • The Identity Provider provides context that tells the Cloud Connector system how to connect to the Okta user database, verify users, and issue certificates.
  2. Create a SAML Application in Okta to connect SecureW2 certificate issuance services with the IDP
    • When users enter their Okta credentials during the certificate enrollment process, the IDP verifies the user and sends user attributes to SecureW2 via SAML application. Once the attributes have been sent to SecureW2, the user can be issued a customized certificate that is tied to their identity and the identity of their device.
  3. Configure Attribute Mapping and Upload Okta Metadata
    • Administration can customize the attribute mapping in order to segment network users into alike groups. For example, a university would want seperate user groups for students and professors, so they configure the attributes to automatically sort users into either of these groups. After mapping attributes, the Okta metadata is uploaded to segment the network.
  4. Update Role and Enrollment Policies
    • With users organized into user groups, you can begin to customize policies that dictate the network user experience. Admins can begin determining which applications, files, websites, and more that each user group should have access to.
  5. Configure SecureW2’s Cloud RADIUS with your Access Points / Wireless Controller
    • Cloud RADIUS comes pre-built for certificates. Here we just need to share a couple IPs and a shared secret with our Wi-Fi infrastructure

Ready to set it up? Here’s what you need to get started:

  • An active SecureW2 account
  • An active Cloud Connector subscription

 

Create an Identity Provider in SecureW2

An identity provider (IDP) is the system that proves the identity of a user/device.

Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to your Okta user database, verify user credentials, and issue certificates.

To create an IDP in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. For Name, enter a name.
  4. For Description, enter a description.
  5. Click the Type dropdown and select SAML.
  6. Click the Saml Vendor dropdown and select OKTA.
  7. Click Save.

Okta IDP info

Now, SecureW2 Cloud Connector knows how to exchange information with your Okta user database.

 

Create a SAML Application in Okta

Your SAML application is a crucial connection between your IDP and SecureW2.

Your SAML application allows a user to enter their Okta credentials, which are then passed to your IDP for verification. Your IDP verifies the user’s identity and then sends attributes to your SAML application, which then passes the attributes to SecureW2 for certificate issuance.

To create a SAML application to use with SecureW2:

  1. From your Okta dashboard,  go to the Dashboard page.
  2. Under Shortcuts, click Add Applications.
  3. Click Create New App.
  4. In the Create a New Application Integration prompt:
    1. Click the Platform dropdown and select Web.
    2. For Sign on method, select the radio button for SAML 2.0.

Create New Application Integration

  1. Click Create.
  2. On the 1 General Settings step, for App name, enter a name.
  3. Click Next.
  4. In a new browser tab/window, log into your SecureW2 Management Portal and go to Identity Management > Identity Providers.
  5. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  6. Select the Configuration tab.
  7. Copy and paste as follows:
    1. From SecureW2, copy the information for ACS URL and EntityId, and
    2. Paste respectively into Okta (2 Configure SAML step) for Single sign on URL and Audience URI (SP Entity ID).
  8. Click Next.
  9. On the 3 Feedback step, for Are you a customer or partner?, select the appropriate radio button.
  10. Click Finish.

 

Update the Profile Policy in SecureW2

To update the profile policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > Profile.
  2. Click Edit for the profile policy.
  3. Select the Settings tab.
  4. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  5. Click Update.

 

Update the User Role Policy in SecureW2

To update the user role policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > User Roles.
  2. For DEFAULT ROLE POLICY 1, click Edit.
  3. Select the Conditions tab.
  4. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  5. Click Update.

 

Configure Attribute Mapping in Okta

To configure attribute mapping in Okta:

  1. From your Okta dashboard, go to the Applications page.
  2. Click the SAML application you created in the section “Create a SAML Application in Okta”.
  3. Select the General tab.
  4. In the SAML Settings section, click Edit.
  5. On the 1 General Settings step, click Next.
  6. On the 2 Configure SAML step, in the ATTRIBUTE STATEMENTS (OPTIONAL) section, configure attributes:
    1. For Name, enter ‘email‘, and for Value, select ‘user.email‘.
    2. Click Add Another.
    3. For Name, enter ‘firstName‘, and for Value, select ‘user.firstName‘.
    4. Click Add Another.
    5. For Name, enter ‘lastName‘, and for Value, select ‘user.lastName‘.
  7. Click Preview the SAML Assertion.
  8. Copy the .xml data that appears.
  9. Open a text file and paste the .xml data into the file.
  10. Save the file using the .xml extension.

attribute statements

 

Upload the Okta Metadata to SecureW2

To upload the Okta metadata to SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  3. Select the Configuration tab.
  4. Under Identity Provider (IDP) Info, for Metadata, click Choose File.
  5. In the window that appears, select the Okta metadata file (.xml) you saved to your computer in the previous section.
  6. Click Upload.
  7. Click Update.

 

Configure Attribute Mapping in SecureW2

To configure attribute mapping in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  3. Select the Attribute Mapping tab.
  4. Click Add.
  5. For Local Attribute, enter ‘upn‘.
  6. Click the Remote Attribute dropdown and select USER_DEFINED.
  7. In the field that appears, enter ‘email‘.
  8. Click Next.
  9. Click Add.
  10. For Local Attribute, enter ‘email‘.
  11. Click the Remote Attribute dropdown and select USER_DEFINED.
  12. In the field that appears, enter ‘email‘.
  13. Click Next.
  14. Click Add.
  15. For Local Attribute, enter ‘displayName‘.
  16. Click the Remote Attribute dropdown and select USER_DEFINED.
  17. In the field that appears, enter ‘firstName‘.
  18. Click Next.

 

Update the Enrollment and Role Policies in SecureW2

To update the enrollment policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > Enrollment.
  2. For DEFAULT ENROLLMENT POLICY 1, click Edit.
  3. Select the Conditions tab.
  4. In the User Role list, select DEFAULT ROLE POLICY 1.
  5. In the Device Role list, select DEFAULT DEVICE ROLE POLICY 1.
  6. Click Update.

 

Configure SecureW2’s Cloud RADIUS with your Access Points / Wireless Controller

SecureW2 comes built with Cloud RADIUS, a turnkey RADIUS Server designed certificate-based authentication in the cloud. When you use SecureW2’s PKI Services, Cloud RADIUS comes included and works out of the box with the certificates that you generate using SecureW2. All that you need to do, is input a shared secret and IP addresses in your AP / Controller and you’re all set.

Our Cloud RADIUS also has the capability to authenticate dynamically. A Dynamic RADIUS server can communicate with the directory to enforce user and group policies at the time of authentication. Cloud RADIUS is the only RADIUS server that can communicate securely with Cloud Identity Providers and empower organizations with certificate-based authentication.  Now you can change users’ permissions and have network security reflect these changes without having to reissue new certificates.

Integrating Cloud RADIUS:

  1. Navigate to AAA management in the management portal
    1. Locate and save your primary and secondary IP address and shared secret
  2. Navigate to your AP
    1. Create a secure SSID
    2. Input your primary IP and your shared secret
    3. Input your secondary IP and shared secret as a backup radius server

 

Conclusion

With SecureW2, using your Okta directory for Secure Wi-Fi access is really easy. With our Turnkey Managed PKI, 802.1x Onboarding, and Cloud RADIUS Server you can take advantage of excellent network security alongside an awesome end user experience. Like to learn more? Click here for a pricing estimate that tailors our cost effective solution to your organization’s needs.

Okta is a registered trademark of Okta, Inc. in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.