RADIUS Authentication with Okta

To achieve secure passwordless network authentication, Cloud RADIUS uses Digital Certificates as it’s primary form of authentication. This guide will detail how to enroll Okta users/devices for certificates, so they can use them to authenticate against Cloud RADIUS, and subsequently, we will create an OAuth app in so we can configure a RADIUS Lookup between Cloud RADIUS and Okta.

Integration Process Overview

  1. Create an Okta Identity Provider in SecureW2
    • The Identity Provider provides context that tells the Cloud Connector system how to connect to the Okta user database, verify users, and issue certificates.
  2. Create a SAML Application in Okta
    • When users enter their Okta credentials during the certificate enrollment process, the IDP verifies the user and sends user attributes to SecureW2 via SAML application. Once the attributes have been sent to SecureW2, the user can be issued a customized certificate that is tied to their identity and the identity of their device.
  3. Configure Your Okta User Policies in SecureW2
    • With users organized into user groups, you can begin to customize policies that dictate the network user experience. Admins can begin determining which applications, files, websites, and more that each user group should have access to
  4. Configure Attribute Mapping 
    • Administration can customize the attribute mapping in order to segment network users into alike groups. For example, a university would want separate user groups for students and professors, so they configure the attributes to automatically sort users into either of these groups. After mapping attributes, the Okta metadata is uploaded to segment the network.
  5. Set Up RADIUS Lookup via OAuth
    • Cloud RADIUS empowers organizations with certificates because it’s the only RADIUS server that can securely communicate with Cloud Identity Providers (IDP). Admins no longer have to reissue brand new certificates in case a user’s policy changes and the system will update immediately.

Create an Identity Provider in SecureW2

An identity provider (IDP) is the system that proves the identity of a user/device.

Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to your Okta user database, verify user credentials, and issue certificates.

To create an IDP in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. For Name, enter a name.
  4. For Description, enter a description.
  5. Click the Type dropdown and select SAML.
  6. Click the Saml Vendor dropdown and select OKTA.
  7. Click Save.

Now, SecureW2 Cloud Connector knows how to exchange information with your Okta user database.

Create a SAML Application in Okta

Your SAML application is a crucial connection between your IDP and SecureW2.

Your SAML application allows a user to enter their Okta credentials, which are then passed to your IDP for verification. Your IDP verifies the user’s identity and then sends attributes to your SAML application, which then passes the attributes to SecureW2 for certificate issuance.

To create a SAML application to use with SecureW2:

  1. From your Okta dashboard,  go to the Dashboard page.
  2. Under Shortcuts, click Add Applications.
  3. Click Create New App.
  4. In the Create a New Application Integration prompt:
    1. Click the Platform dropdown and select Web.
    2. For Sign on method, select the radio button for SAML 2.0.
  1. Click Create.
  2. On the 1 General Settings step, for App name, enter a name.
  3. Click Next.
  4. In a new browser tab/window, log into your SecureW2 Management Portal and go to Identity Management > Identity Providers.
  5. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  6. Select the Configuration tab.
  7. Copy and paste as follows:
    1. From SecureW2, copy the information for ACS URL and EntityId, and
    2. Paste respectively into Okta (2 Configure SAML step) for Single sign on URL and Audience URI (SP Entity ID).
  8. Click Next.
  9. On the 3 Feedback step, for Are you a customer or partner?, select the appropriate radio button.
  10. Click Finish.

Configure Your Okta Policies in SecureW2

Update the Profile Policy in SecureW2

To update the profile policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > Profile.
  2. Click Edit for the profile policy.
  3. Select the Settings tab.
  4. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  5. Click Update.

Update the User Role Policy in SecureW2

To update the user role policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > User Roles.
  2. For DEFAULT ROLE POLICY 1, click Edit.
  3. Select the Conditions tab.
  4. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  5. Click Update.

Update the Enrollment and Role Policies in SecureW2

To update the enrollment policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > Enrollment.
  2. For DEFAULT ENROLLMENT POLICY 1, click Edit.
  3. Select the Conditions tab.
  4. In the User Role list, select DEFAULT ROLE POLICY 1.
  5. In the Device Role list, select DEFAULT DEVICE ROLE POLICY 1.
  6. Click Update.

Configure Attribute Mapping in Okta

To configure attribute mapping in Okta:

  1. From your Okta dashboard, go to the Applications page.
  2. Click the SAML application you created in the section “Create a SAML Application in Okta”.
  3. Select the General tab.
  4. In the SAML Settings section, click Edit.
  5. On the 1 General Settings step, click Next.
  6. On the 2 Configure SAML step, in the ATTRIBUTE STATEMENTS (OPTIONAL) section, configure attributes:
    1. For Name, enter ‘email‘, and for Value, select ‘user.email‘.
    2. Click Add Another.
    3. For Name, enter ‘firstName‘, and for Value, select ‘user.firstName‘.
    4. Click Add Another.
    5. For Name, enter ‘lastName‘, and for Value, select ‘user.lastName‘.
  7. Click Preview the SAML Assertion.
  8. Copy the .xml data that appears.
  9. Open a text file and paste the .xml data into the file.
  10. Save the file using the .xml extension.

Upload the Okta Metadata to SecureW2

To upload the Okta metadata to SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  3. Select the Configuration tab.
  4. Under Identity Provider (IDP) Info, for Metadata, click Choose File.
  5. In the window that appears, select the Okta metadata file (.xml) you saved to your computer in the previous section.
  6. Click Upload.
  7. Click Update.

Configure Attribute Mapping in SecureW2

To configure attribute mapping in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  3. Select the Attribute Mapping tab.
  4. Click Add.
  5. For Local Attribute, enter ‘upn‘.
  6. Click the Remote Attribute dropdown and select USER_DEFINED.
  7. In the field that appears, enter ‘email‘.
  8. Click Next.
  9. Click Add.
  10. For Local Attribute, enter ‘email‘.
  11. Click the Remote Attribute dropdown and select USER_DEFINED.
  12. In the field that appears, enter ‘email‘.
  13. Click Next.
  14. Click Add.
  15. For Local Attribute, enter ‘displayName‘.
  16. Click the Remote Attribute dropdown and select USER_DEFINED.
  17. In the field that appears, enter ‘firstName‘.
  18. Click Next.

How to Set Up Dynamic Cloud RADIUS Lookup via OAuth

Cloud RADIUS can be configured to communicate with your Okta directory and enforce user policies at the time of authentication. Cloud RADIUS empowers organizations with certificates because it’s the only RADIUS server that can securely communicate with Cloud Identity Providers (IDP). Admins no longer have to reissue brand new certificates in case a user’s policy changes and the system will update immediately.

Create a Web Application

  1. Login to Okta
  2. Navigate to Applications
  3. Click Create New Applications
  4. Select Web as the Platform and click Next
  5. Configure the following settings:
    • Note: Use your unique SecureW2 Organization URL as the Login Redirect URI, followed by /auth/oauth/code.Note: You don’t need to enter in a Base URI.
  6. Click Save.
  7. Scroll down to Client Credentials.
  8. Copy and save the Client ID.
  9. Copy and save the Client Secret.

Okta API Scopes

Lastly, we need to give this application permission to access the data in our Okta directory.

  1. Navigate to Okta API Scopes under the Manage section.
  2. Grant the following API Scopes:
    • Okta.users.read
    • Okta.groups.read

Creating an Okta API Token

  1. Log in to the Okta portal.
  2. On the left pane, from the Security menu, select API.
  3. Click Tokens and on the displayed screen, click the Create Token button.
  4. Enter a name for the token and click Create Token.
  5. The following screen is displayed, copy the token value on your console.

 

Create an Identity Lookup Provider

An identity provider (IDP) is the system that proves the identity of a user/device. Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to your Okta user database, verify user credentials, and issue certificates.

During the authentication process, identity lookup validates that a user is active within the organization by checking the identifying information against the existing users in the Identity Provider.

  1. Navigate to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. In the Basic section:
    • Enter a name for the lookup provider.
    • Optional: Enter a description.
    • From the Type dropdown list, select OKTA Identity Lookup.
  4. Click Save.
  5. Click Configuration while still in the Identity Provider edit menu.
    • For Provider URL enter your Okta organization URL.
  6. In the API Token field, enter the token you obtained from the Okta portal.
  7. Click Update.

Adding Attributes

To add a custom attribute to the identity lookup provider, follow the given steps.

  1. Click the Attribute Mapping tab. The following screen is displayed.
  2. Click Add.
    • In the Local Attribute field, enter a name for the attribute.
    • In the Remote Attribute field, select the attribute to be mapped to the Local Attribute. If you select USER_DEFINED, enter a value to be mapped.
  3. Click Next to create the custom attribute with the appropriate mapping.

Configuring Groups

.Cloud RADIUS can perform a User Group Lookup. So, we can create network access policies based on the groups a user is in.

  1. Navigate to the Groups tab.
  2. Click Add.
    • Create any name for Local Group.
    • This name will be what shows up later as our ‘Group’ in the SecureW2 Management Portal when we configure policies.

Conclusion

With SecureW2, using your Okta directory for Secure Wi-Fi access is really easy. With our Turnkey Managed PKI, 802.1x Onboarding, and Cloud RADIUS Server you can take advantage of excellent network security alongside an awesome end user experience. Like to learn more? Click here for a pricing estimate that tailors our cost effective solution to your organization’s needs.

Free DemoCheck Pricing
CTA Background