Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Implementing WPA2-Enterprise with Dynamic RADIUS and Okta

Introduction

Digital certificates have proven that networks can bolster their security without sacrificing user experience. Though many have dismissed certificate-based authentication in the past, it has become a gold standard for wireless security.

SecureW2 provides a Managed Cloud PKI solution, allowing Okta customers to implement 802.1x and certificate-based authentication. This setup makes it easier to configure WPA2-Enterprise Wi-Fi and user authentication for Wi-Fi, VPN, Web Apps, Desktop Logon, and more. Check out our setup guide on how to configure WPA2-Enterprise with Okta.

SecureW2’s PKI is built with a Dynamic RADIUS server that can be configured to communicate with your directory and enforce user policies during authentication. Cloud RADIUS empowers organizations with certificates because it’s the only RADIUS server that can securely communicate with Cloud Identity Providers (IdP). Admins no longer have to reissue brand-new certificates when a user’s policy changes, as the system will update immediately.

Below, we lay out how you can integrate SecureW2’s Dynamic RADIUS with your Okta setup.

Creating API Token

To create an API Token, perform the following steps:

  1. Log in to the Okta Portal.
  2. On the left pane, from the Security menu, select API.
  3. Select the Tokens tab and on the displayed screen, click the Create token button.
  4. In the Create token dialog box, enter a name for the token and click Create token.
  5. On the displayed screen, copy the token value on your console.

NOTE: Ensure that you save the token value on your console.

Configuring SecureW2 for Okta

Creating an Identity Provider

An identity provider (IDP) is the system that proves the identity of a user/device.

Creating an IdP in SecureW2 tells the Cloud Connector system how to connect to your Okta, verify user credentials, and issue certificates.

To create an IdP in the JoinNow Management Portal:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Identity Management > Identity Providers.
  3. Click Add Identity Provider.
  4. In the Basic section, enter the name of the IdP in the Name field.
  5. In the Description field, enter a suitable description for the IdP.
  6. From the Type drop-down list, select SAML.
  7. From the SAML Vendor drop-down list, select OKTA.
  8. Click Save.

Configuring Account Lookup during Certificate Authentication

CloudRADIUS enhances security by incorporating user account status validation during WiFi authentication in addition to certificate validation. This is accomplished by querying the certificate’s user account status in Okta each time a Wi-Fi connection request is made. This dynamic verification ensures that only active users can access the network at any time. The following steps help to configure the necessary policies for the lookup.

Creating an Identity Lookup Provider

To create an Identity Lookup Provider, perform the following steps:

  1. Navigate to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. In the Basic section, enter the name of the IdP in the Name field.
  4. In the Description field, enter a suitable description for the IdP.
  5. From the Type drop-down list, select Okta Identity Lookup.
  6. Click Save.
  7. The page refreshes and displays the Configuration, Attribute Mapping, and Groups tabs.
  8. Click the Configuration tab.
  9. Under the Configuration section, provide the following information.
    1. In the Provider URL field, enter your Okta organization URL, such as
      https: //dev—123456.okta.com/

      NOTE: Do not use “admin” in the organization URL, as the lookup will fail.
    2. In the API Token field, enter the token you obtained from the Okta portal (see the Creating an API Token section).
    3. Click the Validate button to check the connection with Okta.

    4. Click Update.

NOTE: If the Identity Lookup Provider is deleted in the JoinNow Management Portal, the SAML app in the Okta portal is also deleted. API Token needs manual deletion.

Configuring Attributes

To add a custom attribute to the identity lookup provider, follow the below steps.

  1. Navigate to Identity Management > Identity Providers.
  2. Click the Edit link on the Identity Lookup Provider created earlier (refer to the Creating an Identity Lookup Provider section).
  3. Navigate to the Attribute Mapping tab.
  4. Click Add.
  5. In the Local Attribute field, enter a name for the attribute, which corresponds with the Remote Attribute. This is used during Policy Configuration.
  6. In the Remote Attribute drop-down list, select the Okta attributes configured for user and group attributes. If the Okta attributes are unavailable in the default values, select the User Defined option and enter the exact attribute name configured in Okta.
  7. Click Next to create the custom attribute with the appropriate mapping. 
  8. Click Update.

Configuring Groups

Cloud RADIUS can perform a User Group Lookup. As a result, we can create network access policies based on a user’s group membership.

  1. Navigate to Identity Management > Identity Providers.
  2. Click the Edit link on the Identity Lookup Provider created earlier (refer to the Creating an Identity Lookup Provider section).
  3. Navigate to the Groups tab.
  4. Click Add.

    1. In the Local Group field, enter a name for the group. This group name can be used to configure the Network Policies.
    2. In the Remote Group field, enter the name of your group as it is configured in the Okta portal.
    3. Click Create.

NOTE: Repeat the process as required for the groups you wish to create network policies around.

Configuring Policies

By integrating Dynamic RADIUS with Okta, the RADIUS can segment users and determine access levels for each user based on their stored directory information. Better yet, enforcement occurs at runtime, meaning the changes you make to a user’s permissions will be implemented immediately instead of taking a day or two to complete.

The following policies need to be configured:

Configuring Account Lookup Policy

Lookup Policies tie our new Identity Lookup Provider to domains. Here, we will create a condition that ties our domain to the new Identity Lookup Provider we created in the previous section ( see the Creating an Identity Lookup Provider section).

  1. Navigate to Policy Management > Account Lookup Policies.
  2. Click Add Account Lookup Policy.
  3. In the Basic section, enter the name of the account lookup policy in the Name field.
  4. In the Display Description field, enter a suitable description of the account lookup policy.
  5. Click Save.
  6. The page refreshes and displays the Conditions and Settings tabs.
  7. Select the Conditions tab.
  8. Under the Conditions section, select the appropriate value from the Identity drop-down list.
  9. Configure Regex to match the values of your devices configured in the Identity field.
  10. Click Update.
  11. Select the Settings tab.
  12. Under the Settings section, from the Identity Provider Lookup drop-down list, select the Identity Lookup Provider created in the previous section (see the Creating an Identity Lookup Provider section).
  13. From the Lookup Type drop-down list, select the lookup type:
    1. Auto: The system automatically uses identity as the Lookup attribute.
    2. Custom: The Identity drop-down list is displayed. Select a device or user identity for lookup.
      1. The user identities are:
        • Username
        • Certificate-CommonName
        • Certificate-SAN-UPN
        • Certificate-SAN-Email
      2. The device identities are:
        • Certificate-SAN-DNS
        • Client ID
        • Computer Identity
  14. Select the Revoke On Failure checkbox to automatically revoke a certificate if an account lookup fails, if necessary.
  15. Click the Validate Configuration button to check if the lookup is valid.
  16. On the Validate Configuration pop-up window, in the Enter a valid identity field, enter the identity (user/device) to validate the lookup, and click Validate.
  17. After the successful validation, the associated attributes and groups of the Identity Provider Lookup are displayed on the Lookup Details prompt. The admin can use this information to configure the network policies and verify the user’s validity.

    NOTE: When the Admin enters an invalid identity on the Validate Configuration pop-up window, the following error message is displayed: “Account lookup failed.”

  18. Click Update.

Configuring Policy Engine Workflow

The following Policy Engine Workflows need to be configured:

Policy Engine Workflow for Enrollment

The first Policy Engine Workflow to be created is for enrollment. JoinNow MultiOS will use this policy when the end users enroll themselves for certificates.

NOTE: Refer to the Creating an Identity Provider section if you have not set SAML Identity Provider already. Once you have your SAML IdP, start here:

  1. Navigate to Policy Management > Policy Engine Workflows.
  2. Click Add Policy Engine Workflows.
  3. In the Name field, enter the name of the Policy Engine Workflow.
  4. In the Display Description field, enter the suitable description for the Policy Engine Workflow.
  5. Click Save.
  6. The page refreshes and displays the Conditions tab.
  7. Select the Conditions tab.
  8. From the Identity Provider drop-down list, select the identity provider you created earlier (refer to the Creating an Identity Provider section).
  9. Click Update.
Policy Engine Workflow for Network Authentication

First, create a role policy for network authentication. This policy will be used by Cloud RADIUS Dynamic Policy Engine to lookup user status at the moment of authentication. Then, Cloud RADIUS can dynamically apply Network policies, which you will configure next.

  1. Navigate to Policy Management > Policy Engine Workflows.
  2. Click Add Policy Engine Workflows.
  3. In the Name field, enter the name of the Policy Engine Workflow.
  4. In the Display Description field, enter a suitable description for the Policy Engine Workflow.

    NOTE: Ensure that you create a separate Policy Engine Workflow for authentication.

  5. Click Save.
  6. The page refreshes and displays the Conditions tab.
  7. Select the Conditions tab.
  8. From the Identity Provider drop-down list, select the Okta Identity Lookup Provider created in the previous section (see the Creating an Identity Lookup Provider section).
  9. Click Update.
Group Policy Engine Workflow for Network Authentication

Next, create role policies for groups you want to give differentiated network access. We can then leverage Cloud RADIUS’ Dynamic Policy Engine to send unique RADIUS attributes based on the users’ group with the network policies.

  1. Navigate to Policy Management > Policy Engine Workflows.
  2. Click Add Policy Engine Workflows.
  3. In the Name field, enter the name of the Group Policy Engine Workflow.
  4. In the Display Description field, enter the suitable description for the Group Policy Engine Workflow.
  5. Click Save.
  6. The page refreshes and displays the Conditions tab.
  7. Select the Conditions tab.
  8. From the Identity Provider drop-down list, select the Okta Identity Lookup Provider you created (see the Creating an Identity Lookup Provider section).
  9. In the Groups field, select the group you want to apply this role to.

    NOTE    : The displayed group names are the Local Groups you configured in the Identity Lookup Provider.
  10. Click Update.

Default Fallback Policy Engine Workflow

You may notice that your Policy Engine Workflows have a “DEFAULT FALLBACK ROLE POLICY” after you create an Identity Lookup Provider.

If the Identity lookup fails, this policy allows the user to still authenticate to the network but assigns them a unique role.

This ensures that users don’t experience disconnections if there’s a small hiccup in the connection between Okta and Cloud RADIUS. Your network can remain secure, and you can have those users auto-assigned into a Guest VLAN.

NOTE: DEFAULT FALLBACK ROLE POLICY is by default assigned the DEFAULT NETWORK POLICY.

Configuring Network Policy

A network Policy specifies how Cloud RADIUS will authorize access to a particular Policy Engine Workflow.

A typical Network Policy would say something like the following: “If User Role = Staff, authorize access and assign them to VLAN 2.”

You can configure any RADIUS Attribute to be sent to the wireless controller. If you leave the attribute section blank, it will just send an Access Accept message.

To create and configure the Network Policy, follow the steps below:

  1. Navigate to Policy Management > Network Policies.
  2. On the Network Policies page, click Add Network Policy.
  3. In the Basic section, in the Name field, enter the name of the network policy.
  4. In the Display Description field, enter the suitable description for the network policy.
  5. Click Save.
  6. The page refreshes and displays the Conditions and Settings tabs.
  7. Select the Conditions tab.
  8. Select Match All or Match Any based on your requirement to set authentication criteria. In the case explained here, we are selecting Match All.
  9. Click Add rule.
  10. Expand Device and select the Device Role option.
  11. Expand Identity and select the Role option.
  12. Click Save.
  13. The Device Role and Role options appear under the Conditions tab.
  14. From the Device Role Equals drop-down list, select the default device role policy.
  15. From the Role Equals drop-down list, select the Policy Engine Workflow you created earlier (refer to the Policy Engine Workflow for Network Authentication section). You can select multiple Policy Engine Workflows to assign to a Network Policy.

    NOTE    : You can assign a network policy to multiple user roles.
  16. Select the Settings tab.
  17. Click Add Attribute.

    1. From the Dictionary drop-down list, select an option: Radius: IETF or Custom.
    2. From the Attribute drop-down list, select any one of the following options.
      • Framed-Protocol
      • Framed-IP-Address
      • Framed-IP-NetMask
      • Framed-Routing
      • Filter-Id
      • Framed-MTU
      • Framed-Compression
      • Reply-Message
      • Framed-Route
      • Framed-IPX-Network
      • State
      • Class
      • Session-Timeout
      • Tunnel-Type
      • Tunnel-Medium-Type
      • Tunnel-Private-Group-ID
      • Framed-Pool
    3. In the Value field, enter the appropriate value for the attribute. 
    4. Click Save.
  18. Click Update.

NOTE: Repeat the process for all the attributes you want to send to the Policy Engine Workflow.

Conclusion

Dynamic RADIUS will revolutionize the way certificate-based WPA2-Enterprise networks are run. It eliminates all traces of security weaknesses and the SecureW2 solution helps to manage certificates and users. SecureW2 has affordable options for organizations of all sizes. Click here for further details.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing