Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Implementing WPA2-Enterprise with Dynamic RADIUS and Okta

Digital certificates have proven that networks can bolster their security without sacrificing user experience. Though many have dismissed certificate-based authentication in the past, it has become a gold standard for wireless security.

SecureW2 provides a Managed Cloud PKI solution allowing Okta customers to implement 802.1x and certificate-based authentication. This setup makes it easier to configure WPA2-Enterprise Wi-Fi and user authentication for Wi-Fi, VPN, Web Apps, Desktop Logon, etc. Check out our setup guide on how to configure WPA2-Enterprise with Okta.

SecureW2’s PKI is built with a Dynamic RADIUS server that can be configured to communicate with your directory and enforce user policies at the time of authentication. Cloud RADIUS empowers organizations with certificates because it’s the only RADIUS server that can securely communicate with Cloud Identity Providers (IDP). Admins no longer have to reissue brand new certificates in case a user’s policy changes and the system will update immediately.

Below, we lay out how you can integrate SecureW2’s Dynamic RADIUS with your Okta setup.

Creating API Token

  1. Log in to the Okta Portal.
  2. On the left pane, from the Security menu, select API.
  3. Click Tokens and on the displayed screen, click the Create Token button.
  4. In the Create token dialog box, enter a name for the token and click Create Token.
  5. On the displayed screen, copy the token value on your console.

NOTE: Ensure that you save the token value on your console.

Getting Started

After creating an API token in Okta, you need to run the Getting Started wizard, create an Identity Lookup Provider in SecureW2 to communicate with Okta, and finally create user and group policies to implement network authentication.

The Getting Started Wizard creates everything you need for 802.1x. It will generate a RADIUS Server, Network Profiles, a Landing Page for Device Onboarding, and all the default network settings you will need for 802.1x.

NOTE: If you have already configured SecureW2 for your network, you may skip this step.

  1. Navigate to Device Onboarding > Getting Started.
  2. From the Profile Type drop-down list, select the network profile type.
  3. In the SSID text box, type a name for the SSID.
  4. From the Security Type drop-down list, select WPA2-Enterprise.
  5. From the EAP Method drop-down list, select EAP-TLS.
  6. From the Policy drop-down list, select DEFAULT.
  7. From the Wireless Vendor drop-down list, select a wireless provider.
  8. From the RADIUS Vendor drop-down list, select a RADIUS vendor.
  9. Click Create. Your network profile is generated.

NOTE: The Getting Started wizard typically takes 60-90 seconds to create everything required. Wait for the process to complete before moving to the next steps.

Creating Identity Lookup Provider

An identity provider (IDP) is the system that proves the identity of a user/device. Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to your Okta user database, verify user credentials, and issue certificates.

During the authentication process, identity lookup validates that a user is active within the organization by checking the identifying information against the existing users in the Identity Provider.

  1. Navigate to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. On the displayed screen, enter a Name and Description of the Identity Provider.
  4. From the Type drop-down list, select Okta Identity Lookup.
  5. Click Save.
  6. On the displayed screen, click the Configuration tab.
    1. In the Provider URL field, enter your Okta organization URL. For example, https: /dev- 123456.okta.com/.

      NOTE: Do not use "admin" in the organization URL as lookup fails.

    2. In the API Token field, enter the token you obtained from the Okta portal (see the Creating API Token section).
    3. Click Update.

The Identity Lookup Provider is displayed on the Identity Providers page.

NOTE: If the Identity Lookup Provider is deleted in the JoinNow MultiOS Management Portal, the app in the Okta portal is also deleted.

Adding Attributes

To add a custom attribute to the identity lookup provider, follow the given steps.

  1. Navigate to the Attribute Mapping tab.
  2. Click Add.
  3. In the Local Attribute field, enter a name for the attribute.
  4. In the Remote Attribute field, select the attribute to be mapped to the Local Attribute. If you select User Defined, enter a value to be mapped.
  5. Click Next to create the custom attribute with the appropriate mapping.
  6. Click Update.

Configuring Groups

Cloud RADIUS can perform a User Group Lookup. So, we can create network access policies based on the groups a user is in.

  1. Navigate to the Groups tab.
  2. Click Add.
    1. In the Local Group field, enter a name for the group. This name will be displayed as your 'Group' in the JoinNow MultiOS Management Portal when you configure policies.
    2. In the Remote Group field, enter the name of your group as it is configured in the Okta portal.
  3. Click Create.

NOTE: Repeat the process as required for the groups you wish to create network policies around.

Configuring Policies

By integrating Dynamic RADIUS with Okta, the RADIUS can segment users and determine access levels for each user based on their stored directory information. Better yet, enforcement occurs at runtime, meaning the changes you make to a user’s permissions will be implemented immediately instead of taking a day or two to complete.

The following policies need to be configured:

Account Lookup Policy

Lookup Policies are how we tie our new Identity Lookup Provider to domains. Here we will create a condition that ties our domain to the new Identity Lookup Provider we just created in the previous section.

  1. Navigate to Policy Management > Account Lookup Policies.
  2. Click Add Account Lookup Policy.
  3. On the displayed screen, enter a Name and Display Description of the Account Lookup Policy.
  4. Click Save.
  5. Click the Conditions tab.
  6. From the Identity drop-down list, select an option from the following:
    • Username
    • Certificate-CommonName
    • Certificate-SAN-UPN
    • Certificate-SAN-Email
  7. In the Regex field, enter the value you want to match.
  8. Click Update.
  9. Click the Settings tab.
  10. From the Identity Provider Lookup drop-down list, select the Lookup Identity Provider created earlier (see the Creating Identity Lookup Provider section).
  11. From the Lookup Type drop-down list, select the lookup type: Auto or Custom.
  12. From the Identity drop-down list, select an option from the following:
    • Username
    • Certificate-CommonName
    • Certificate-SAN-UPN
    • Certificate-SAN-Email
    • Certificate-SAN-DNS
    • Client ID
    • Computer Identity
  13. Select the Revoke On Failure checkbox.
  14. Click Update.

User Role Policy

User Role Policy for Network Authentication

First, create a role policy for network authentication. This policy is used by Cloud RADIUS Dynamic Policy Engine to lookup the status of a user during authentication. Then Cloud RADIUS can dynamically apply network policies, which you will configure next.

  1. Navigate to Policy Management > Roles Policies.
  2. On the Role Policies page, click Add Role.
  3. On the displayed screen, enter a Name and Display Description for the Role policy.
    NOTE: Ensure that you create a separate role policy for authentication.
  4. Click Save.
  5. Click the Conditions tab.
  6. From the Identity Provider drop-down list, select the Identity Provider you created earlier.
  7. Click Update.

Group Role Policy for Network Authentication

Next, create role policies for groups that you want to give differentiated network access. We can then leverage Cloud RADIUS' Dynamic Policy Engine to send unique RADIUS attributes based on the users' group with the network policies.

  1. Navigate to Policy Management > Roles Policies.
  2. On the Role Policies page, click Add Role.
  3. On the displayed screen, enter a Name and Display Description for the group role policy.
  4. Click Save.
  5. Click the Conditions tab.
  6. From the Identity Provider drop-down-list, select the Okta Identity Lookup Provider you created (see the Creating Identity Lookup Provider section).
  7. In the Groups field, select the group you want to apply this role to.
    NOTE: The displayed group names are the Local Groups you configured in the Identity Lookup Provider.
  8. Click Update.

Default Fallback Role Policy

You may notice that there is a “DEFAULT FALLBACK ROLE POLICY” in your User Role policies after you create a Identity Lookup Provider.

The purpose of this policy is: If the Identity Lookup fails, allow the user to still authenticate to the network but assign them a unique role.

This ensures that both users don’t experience disconnects if there’s a small hiccup in the connection between Okta and Cloud RADIUS, but your network can remain secure and you can have those users auto-assigned into a Guest VLAN.

Note: DEFAULT FALLBACK ROLE POLICY is by default assigned the DEFAULT NETWORK POLICY

Network Policy

The purpose of a Network Policy is to specify how Cloud RADIUS will authorize access to a particular User Role.

A typical Network Policy would say something like: “If User Role = Staff, authorize access and assign them to VLAN 2”.

You can configure any RADIUS Attribute to be sent to the wireless controller. If you leave the attribute section blank, it will just send Access Accept. To create and configure the Network Policy, follow the steps below:

  1. Navigate to Policy Management > Network Policies.
  2. On the Network Policies page, click Add Network Policy.
  3. On the displayed screen, enter a Name and Displayed Description for the network policy in the corresponding fields.
  4. Click Save.
  5. Click the Conditions tab.
  6. Click Add group and select the user role you want to assign to this network policy.
    NOTE: You can assign a network policy to multiple user roles.
  7. Click the Settings tab.
  8. Click Add Attribute.
    1. From the Dictionary drop-down-list, select an option: Radius:IETF or Custom.
    2. From the Attribute drop-down-list, select an option.
    3. In the Value field, enter the appropriate value for the attribute.
    4. Click Save.
    5. Click Update.

NOTE: Repeat the process for all the attributes you want to send to the User Role.

Conclusion

Dynamic RADIUS will revolutionize the way certificate-based WPA2-Enterprise networks are run. It eliminates all traces of security weaknesses and makes it easier to manage certificates and users. SecureW2 has affordable options for organizations of all sizes. Click here to see our pricing.