黑料海角91入口 RADIUS supports both credential (with a password) and certificate (passwordless) based authentication. Certificate Based Authentication (CBA) is considered the most secure method of authentication, with the least amount of user friction. At this time, 黑料海角91入口 is supporting certificates from multiple certificate authorities (CA). 黑料海角91入口 RADIUS allows organizations who are already using and managing certificates to import them into 黑料海角91入口 and use them for authentication to 黑料海角91入口 RADIUS.
Considerations:
- The certificate functionality allows administrators to use password credentials as a backup to certificates for user login.
- Using passwords as a backup for certificates gives admins the flexibility to try certificates without relying solely on them.
- MFA can be used with password credentials but not with certificates (passwordless).
Provisioning Certificates
- Certificate Authority and root trust chain
- 黑料海角91入口 offers the flexibility for organizations to import the root trust chain or Certificate Authority (CA) into 黑料海角91入口 and use them for authentication to 黑料海角91入口 RADIUS for network access.
- The CA may originate from a 3rd party Certificate Authority (like Globalsign) or a self-signed CA.
- Certificates can originate from multiple different certificate authorities which will vouch for the origin and good standing of the certificate.
- 黑料海角91入口 has created Powershell scripts to serve as examples of the certificate creation, generation, and import process. See for more information about using the scripts.
- User Certificate types
- 黑料海角91入口 RADIUS supports three types of User Certificates:
- Client cert with 黑料海角91入口 user email in the subject alternative name
- Client cert with 黑料海角91入口 user email in the subject distinguished name
- Client cert with 黑料海角91入口 username in the common name
- The user certificates must be installed on the user or local store (for example, the Current User/Personal Store in Windows) of the target device performing the RADIUS access request.
- The user certificates must have been created with and derived from the CA uploaded on 黑料海角91入口 RADIUS.
- 黑料海角91入口 RADIUS supports three types of User Certificates:
- Certificate Status check
- 黑料海角91入口 RADIUS supports validating the good standing of a certificate on every authentication transaction via the Online Certificate Status Protocol (OCSP). The OCSP service providing validation on behalf of the CA must be specified on the User Certificate (authorityInfoAccess field must equal to OCSP followed by the URL identifying the resource that differentiates it from others by using a name, location, or both).
Admin Experience: Authenticating Users with Certificates
- In the 黑料海角91入口 Admin Portal, go to the User Authentication > RADIUS area and select the green plus (+) button to add a new RADIUS server.
- On the Authentication tab, choose 黑料海角91入口 as the Identity Provider and under the Authentication Method, click on the Passwordless option.
- (optional) If desired, select Allow password authentication as an alternative method.
- Note: If this checkbox is selected, admins can enable certificates for some users while allowing others to continue validating by username and password. Users will continue to have the option to validate by username and password, but once they choose to validate with certificates and a valid certificate is found, the password option will no longer be presented.
- Once Passwordless has been selected, you will not be able to Save until a certificate has been successfully uploaded (or the authentication method has been changed back to Password).
- To upload your certificate, click on the Choose a File button, navigate to the file location, and select it for uploading.
- Once the file has uploaded successfully the file name will display on the screen and options will change to replacing or deleting the file. There is also an option to view the full CA chain.
- Clicking Save will return the user to the main RADIUS screen, where the Certificate badge will display in the Primary Authentication column.
User Experience
When a user connects to a Wi-Fi device configured to authenticate with a certificate for the first time, the user will be able to select 鈥楥onnect using a certificate鈥. On subsequent attempts the authentication will be automatic.
On macOS, users will need to enter their password to allow changes to Certificate Trust Settings, and to sign in and allow access to the 鈥減rivate key,鈥 and should select 鈥淎lways Allow鈥 when prompted.