Reply
Highlighted
New Member
Posts: 3
Registered: ‎02-20-2018
Kudos: 2
Solutions: 1
Accepted Solution

Using Jumpcloud's Radius servers.

I am trying to connect my UniFi controller to the Jumpcloud Radius servers following this guide.  In the UniFi controller, I have created a new SSID called Radius, checked Enable this Wireless Network, WPA Enterprise, and have created a new Radius Profile called Jumpcloud without VLAN support, and with the two Radius Auth Servers mentioned in Jumpcloud's guide, on port 1812, and with my Shared Secret from Jumpcloud.

 

In the UniFI controller, under Services, no users have been created.  Under User Groups, the Default user group is Unlimited in every way.  Under Firewall, I have not added any rules for 1812.

 

In Jumpcloud, I have created a group of all employees, and added it to the radius client with my IP address.

 

And when I try to connect from any device or any user, I am denied access.  Since Jumpcloud does not do logging, it is hard for me to know what is wrong.  Any suggestions?


Accepted Solutions
New Member
Posts: 3
Registered: ‎02-20-2018
Kudos: 2
Solutions: 1

Re: Using Jumpcloud's Radius servers.

Yes, the problem was that Unifi does not allow special characters in the secret key.  This is not documented.

View solution in original post


All Replies
New Member
Posts: 26
Registered: ‎10-23-2017
Kudos: 6

Re: Using Jumpcloud's Radius servers.

I just set up RADIUS a few days ago with JumpCloud and it is working fine.  We're you able to get this working?

3x Security Gateway 4P, 3x Switch 16XG, 19x Switch 48 POE-500W, 2x Switch 24 POE-250W, 53x AP-AC-Pro
New Member
Posts: 3
Registered: ‎02-20-2018
Kudos: 2
Solutions: 1

Re: Using Jumpcloud's Radius servers.

Yes, the problem was that Unifi does not allow special characters in the secret key.  This is not documented.

New Member
Posts: 2
Registered: ‎08-18-2018

Re: Using Jumpcloud's Radius servers.

I've been trying to do the same thing. I set up the radius profile on the Unifi controller and created a radius server on Jumpcloud. I don't have any special characters in my shared secret (which makes me nervous). As of now, I have only one test user on Jumpcloud. I've created a wireless network that uses radius authentication.  When I try to authenticate via 802.11x, it sits for a while and then tells me that the network can't be joined. (I have another, PSK2 network on the same access point so I know that everything else works fine.)

 

Any ideas? Thanks!

 

- keith

New Member
Posts: 26
Registered: ‎10-23-2017
Kudos: 6

Re: Using Jumpcloud's Radius servers.

[ Edited ]

Maybe the RADIUS profile in JumpCloud doesn't have any users added to it.  But here are some things to keep in mind:

 

1)

Confirm the shared secret in JumpCloud > RADIUS > RADIUS server configuration

matches

What is in the Unifi Controller at Settings > Profiles > edit RADIUS profile

 

2)

Apply the RADIUS profile to a wireless network in the Unifi Controller at Settings > Wireless Networks > edit RADIUS network > select correct RADIUS profile in the dropdown.

 

3)

Make sure the IP Addresses listed at JumpCloud > RADIUS > select your RADIUS server > Details tab

match

The new IP addresses for JumpCloud RADIUS

https://support.jumpcloud.com/customer/en/portal/articles/2406827

 

4) Add users to the RADIUS server at JumpCloud > RADIUS > select your RADIUS server > User Groups tab

First create a user group for RADIUS users then add users to the group.  Add that group under the User Groups tab

 

5) When entering your credentials when attempting to connect to the wifi network, only use the portion before @xyz.com

john.doe@xyz.com only needs to input john.doe.  The password is whatever is assigned via JumpCloud.

 

 

 

 

3x Security Gateway 4P, 3x Switch 16XG, 19x Switch 48 POE-500W, 2x Switch 24 POE-250W, 53x AP-AC-Pro
New Member
Posts: 2
Registered: ‎08-18-2018

Re: Using Jumpcloud's Radius servers.

Thanks! I think I was using a different IP for the Jumpcloud RADIUS server. I'll double check now.

New Member
Posts: 2
Registered: ‎06-15-2014
Kudos: 3

Re: Using Jumpcloud's Radius servers.

This is very tangential to the original topic, but @ctfprq@kruskin@soremekun, how are you ensuring clients correctly validate the jumpcloud RADIUS server certificate?

 

I've been reading around on attacks on EAP-PEAP and EAP-TTLS (jumpcloud's supported methods for RADIUS), and I'm a little bit spooked.

The takeaway from the above seems to be that an attacker can steal NTLM hashes of my users' SSO credentials by:

  • setting up a rogue AP, impersonating my SSID
  • setting up a rogue RADIUS server, with its own certificate
  • trusting that some clients will blindly trust this rogue certificate when authenticating.
    • Some users might blindly click through warnings
    • Even worse: some client devices by default present no warnings and accept any received certificate.

It feels like, even if I distribute machines with certificate pinning correctly configured, it would be very hard to prevent some user from trying to connect their own, unapproved, device to the network, inadvertently misconfiguring their client, and then potentially leaking their JumpCloud SSO Credentials to an attacker and thus giving said attacker access to the Wifi and, because of SSO, access to any internal services relying on JumpCloud for User Authentication.

 

How are you going about locking down the clients against possible misconfiguration?

New Member
Posts: 26
Registered: ‎01-08-2015
Kudos: 4

Re: Using Jumpcloud's Radius servers.


@NAR8789 wrote:

This is very tangential to the original topic, but @ctfprq@kruskin@soremekun, how are you ensuring clients correctly validate the jumpcloud RADIUS server certificate?

 

I've been reading around on attacks on EAP-PEAP and EAP-TTLS (jumpcloud's supported methods for RADIUS), and I'm a little bit spooked.

The takeaway from the above seems to be that an attacker can steal NTLM hashes of my users' SSO credentials by:

  • setting up a rogue AP, impersonating my SSID
  • setting up a rogue RADIUS server, with its own certificate
  • trusting that some clients will blindly trust this rogue certificate when authenticating.
    • Some users might blindly click through warnings
    • Even worse: some client devices by default present no warnings and accept any received certificate.

It feels like, even if I distribute machines with certificate pinning correctly configured, it would be very hard to prevent some user from trying to connect their own, unapproved, device to the network, inadvertently misconfiguring their client, and then potentially leaking their JumpCloud SSO Credentials to an attacker and thus giving said attacker access to the Wifi and, because of SSO, access to any internal services relying on JumpCloud for User Authentication.

 

How are you going about locking down the clients against possible misconfiguration?


These are great questions and I would like to see what people are doing about it! 

I would like to use jumpcloud radius for vlan assignment but these issues are scaring me for now!

 

Thanks

Reply