How Do I Set Up MDM for RADIUS to Distribute Certificates and WiFi Profiles?
How Do I Push Certificates and WiFi Profiles to Devices for RADIUS?
When using certificate-based authentication with RADIUS, you’ll need a way to distribute the necessary certificates and WiFi profiles to your users’ devices. These include laptops, smartphones, tablets, and other endpoints that will connect to your network. It’s a lot of work to have users do this manually or to have them visit an IT help desk, so organizations typically use a Mobile Device Management (MDM) solution to automate this process.
What Are Commonly Used MDM Solutions for RADIUS?
Most MDM solutions support the distribution of certificates and WiFi profiles needed for RADIUS authentication. Many organizations leverage Microsoft Intune, Jamf, and ManageEngine MDM Plus. Once set up, your MDM can connect to your company directory (like Entra ID or Active Directory) to identify users and their devices. The MDM can then push applications, configuration, certificates, and WiFi profiles to the devices based on policies you define.
Is an MDM Required to use RADIUS?
No, an MDM is not strictly required to use RADIUS. However, if you plan to use certificate-based authentication (like EAP-TLS), an MDM is highly recommended to streamline the distribution of certificates and WiFi profiles to user devices. Otherwise, you would need to manually install certificates and configure WiFi settings on each device, which can be time-consuming and error-prone.
What Do I Need to Set Up in My MDM for RADIUS?
The policies and configuration you need to distribute via your MDM will depend on your specific RADIUS server, PKI setup, and the devices and authentication methods you plan to use. Typically, you’ll need to distribute the Radius Server certificate, WiFi profiles (if using a WiFi network), and the trusted/client certificates (if using EAP-TLS).
Here are the most common scenarios and the items you’ll need to configure:
Certificate and Smart Card Authentication (EAP-TLS)
To set up certificate-based authentication using EAP-TLS, you’ll need to configure the following in your MDM:
- Root CA Certificate - Push your Root CA certificate to the trusted computer root store on all client devices. This ensures that the devices trust the certificates issued by your Certificate Authority (CA).
- Issuing CA Certificate (optional) - If your PKI uses an intermediate issuing SCEP CA, you’ll need to push this certificate to the trusted intermediate store on all client devices.
- Client Certificate(s) - Configure your MDM to issue and distribute client certificates (user and/or device) to user devices. This is often done using SCEP (Simple Certificate Enrollment Protocol) to automate the certificate request and installation process.
- Radius Server Certificate - Push the RADIUS server’s trusted certificate to the trusted computer root store on all client devices to ensure secure communication via the EAP-TTLS protocol. Without this, clients may not trust the RADIUS server, leading to failed authentication attempts.
- WiFi Profile - Create and distribute a WiFi profile that configures the SSID, security type (WPA2-Enterprise or WPA3-Enterprise), and EAP method (EAP-TLS) for connecting to your RADIUS-protected network.
Entra ID Authentication (EAP-TTLS with PAP)
To set up Entra ID authentication using EAP-TTLS with PAP, you’ll need to configure the following in your MDM:
- Radius Server Certificate - Push the RADIUS server’s trusted certificate to the trusted computer root store on all client devices to ensure secure communication via the EAP-TTLS protocol. Without this, clients may not trust the RADIUS server, leading to failed authentication attempts.
- WiFi Profile - Create and distribute a WiFi profile that configures the SSID, security type (WPA2-Enterprise or WPA3-Enterprise), and EAP method (EAP-TTLS with PAP) for connecting to your RADIUS-protected network.
MAC Authentication Bypass (EAP-MD5 or EAP-PAP)
To set up MAC Authentication Bypass using EAP-MD5 or EAP-PAP, you’ll need to configure the following in your MDM:
- Radius Server Certificate - Push the RADIUS server’s trusted certificate to the trusted computer root store on all client devices to ensure secure communication via the EAP-TTLS protocol. Without this, clients may not trust the RADIUS server, leading to failed authentication attempts.
- WiFi Profile - Create and distribute a WiFi profile that configures the SSID, security type (WPA2-Enterprise or WPA3-Enterprise), and EAP method (EAP-MD5 or EAP-PAP) for connecting to your RADIUS-protected network.
Then on your RADIUS server, you’ll need to configure MAC address-based authentication policies to allow devices to authenticate using their MAC addresses.
Summary Table
The following table summarizes what you’ll need to configure in your MDM for each common RADIUS authentication scenario:
| Scenario | Root CA Certificate | Issuing CA Certificate | Client Certificate(s) | Radius Server Certificate | WiFi Profile |
|---|---|---|---|---|---|
| Certificate and Smart Card Authentication (EAP-TLS) | ✅ | ✅ (if applicable) | ✅ | ✅ | ✅ (EAP-TLS) |
| Entra ID Authentication (EAP-TTLS with PAP) | ❌ | ❌ | ❌ | ✅ | ✅ (EAP-TTLS with PAP) |
| MAC Authentication Bypass (EAP-MD5 or EAP-PAP) | ❌ | ❌ | ❌ | ✅ | ✅ (EAP-MD5 or EAP-PAP) |