JumpCloud Integration

Connect IronWifi to JumpCloud Directory Platform to authenticate WiFi users with their JumpCloud credentials. This integration supports SAML single sign-on, LDAP authentication, and RADIUS for comprehensive identity management.

Features

• SAML Single Sign-On - Enterprise SSO for captive portals
• LDAP Authentication - Cloud LDAP for WPA-Enterprise
• RADIUS Authentication - Built-in RADIUS server support
• User Synchronization - Import users from JumpCloud
• Group Synchronization - Sync user groups and attributes
• Multi-Factor Authentication - Enforce MFA for WiFi access

Prerequisites

• JumpCloud administrator account
• IronWifi account with Connector access
• JumpCloud subscription (Free tier supported)

SAML Single Sign-On Setup

Step 1: Create JumpCloud SSO Application

1. Log into JumpCloud Admin Portal
2. Navigate to SSO (or Applications > SSO)
3. Click the (+) button to add a new application
4. Select Custom SAML App
5. Click Configure

Step 2: Configure Application Settings

General Info:

• Display Label: IronWifi
• Description: WiFi Authentication
• Logo: Upload logo (optional)

Step 3: Configure SSO Settings

In the SSO tab, configure:

Field	Value
IdP Entity ID	Copy this value for IronWifi
SP Entity ID	{Entity ID from IronWifi}
ACS URL	{ACS URL from IronWifi}
SAMLSubject NameID	email
SAMLSubject NameID Format	urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Signature Algorithm	RSA-SHA256
Sign Assertion	Checked
Login URL	{Splash Page URL} (optional)

Step 4: Configure Attribute Statements

Add custom attributes in the SSO tab:

Service Provider Attribute Name	JumpCloud Attribute
email	email
firstName	firstname
lastName	lastname
username	username

Step 5: Download IDP Certificate

1. Scroll to IDP Certificate Valid
2. Click Download certificate
3. Save the certificate file
4. Copy the IDP URL (SSO URL)

Step 6: Configure IronWifi

1. Navigate to Connectors > Add Connector
2. Select JumpCloud (SAML)
3. Enter configuration:
   • IdP Entity ID: From JumpCloud SSO config
   • IdP SSO URL: The IDP URL from JumpCloud
   • Certificate: Upload the downloaded certificate
4. Click Save

Step 7: Assign Users to Application

1. In JumpCloud, go to the IronWifi application
2. Click the User Groups tab
3. Select groups to grant access
4. Or use the Users tab to assign individual users
5. Click Save

User Synchronization

Sync users from JumpCloud to IronWifi via API.

Step 1: Generate API Key

1. In JumpCloud, navigate to API Settings
2. Click Generate New API Key
3. Set Description: IronWifi Connector
4. Copy the API key immediately (it won't be shown again)

Step 2: Configure IronWifi Connector

1. Edit your JumpCloud connector in IronWifi
2. Navigate to User Sync Settings
3. Enter:
   • Organization ID: Your JumpCloud org ID
   • API Key: The generated API key
4. Configure sync options:
   • Auto-sync: Enable scheduled synchronization
   • Sync interval: Hourly, daily, or weekly
   • Include suspended users: Yes/No
   • Include external users: Yes/No
5. Click Save

Step 3: Run Initial Sync

1. Click Sync Now
2. Monitor progress in the sync log
3. Review imported users in Users section
4. Verify user attributes and group memberships

Synchronization Mapping

User Attributes

JumpCloud	IronWifi
email	Username
firstname	First Name
lastname	Last Name
username	Alternate Username
activated	Status (enabled/disabled)
suspended	Status
custom_attributes	Custom Fields

Sync Options

Setting	Description
Auto-sync	Scheduled automatic synchronization
Sync interval	Frequency: hourly, daily, weekly
User filter	Filter by attributes or groups
Include suspended	Import suspended users as disabled
Include external	Sync external directory users

Group Mapping

Map JumpCloud user groups to IronWifi groups:

1. In the connector, navigate to Group Mapping
2. Add mapping rules:
   • JumpCloud Group → IronWifi Group
   • Example: "WiFi-Users" → "Employee WiFi"
3. Enable Auto-create groups to create missing groups
4. Configure group attributes:
   • VLAN assignment
   • Bandwidth limits
   • Access policies
5. Save and run sync

RADIUS Authentication

JumpCloud includes a built-in RADIUS server for WPA-Enterprise authentication.

Step 1: Enable RADIUS in JumpCloud

1. Navigate to RADIUS in JumpCloud console
2. Click Add New RADIUS Server
3. Configure server settings:
   • Name: IronWifi
   • Network Source IP: Your controller IPs or 0.0.0.0/0
4. Click Save
5. Copy the RADIUS server details:
   • RADIUS server IP/hostname
   • Shared secret

Step 2: Assign Users to RADIUS

1. In the RADIUS server settings
2. Click User Groups tab
3. Select groups that can authenticate via RADIUS
4. Or assign individual users
5. Save configuration

Step 3: Configure IronWifi for RADIUS

1. In the JumpCloud connector
2. Navigate to RADIUS Settings
3. Enter:
   • JumpCloud RADIUS server IP: From JumpCloud
   • RADIUS shared secret: From JumpCloud
   • Authentication port: 1812 (default)
   • Accounting port: 1813 (default)
4. Enable RADIUS Proxy Mode
5. Save configuration

Step 4: Test RADIUS Authentication

1. Configure a test device for WPA-Enterprise:
   • Security: WPA2-Enterprise
   • Authentication: PEAP or TTLS
   • Inner authentication: MSCHAPv2 or PAP
2. Enter JumpCloud username and password
3. Connect to network
4. Verify authentication in IronWifi logs
5. Check RADIUS logs in JumpCloud console

LDAP Integration

Use JumpCloud's LDAP-as-a-Service for authentication.

Step 1: Enable LDAP in JumpCloud

1. Navigate to LDAP in JumpCloud console
2. Click Add New LDAP Server
3. Note the LDAP connection details:
   • LDAP server URL: ldap://ldap.jumpcloud.com:389 or ldaps://ldap.jumpcloud.com:636
   • Bind DN: uid={username},ou=Users,o={orgId},dc=jumpcloud,dc=com
4. Copy your organization ID

Step 2: Assign Users to LDAP

1. In LDAP settings, click User Groups
2. Select groups for LDAP access
3. Or assign individual users
4. Save configuration

Step 3: Configure IronWifi LDAP Connector

1. Navigate to Connectors > Add Connector
2. Select LDAP
3. Enter configuration:
   • LDAP Server: ldaps://ldap.jumpcloud.com:636
   • Bind DN: uid=admin,ou=Users,o={yourOrgId},dc=jumpcloud,dc=com
   • Bind Password: Your JumpCloud password or service account password
   • Search Base: ou=Users,o={yourOrgId},dc=jumpcloud,dc=com
   • Search Filter: (uid={username})
4. Enable Use TLS/SSL
5. Test connection
6. Save configuration

Multi-Factor Authentication

Enforce MFA for WiFi access through JumpCloud.

For SAML Authentication

1. In JumpCloud, navigate to MFA settings
2. Configure MFA policies:
   • Push notifications via JumpCloud Protect
   • TOTP (Google Authenticator, Authy)
   • SMS (requires add-on)
   • WebAuthn (YubiKey, biometrics)
3. Apply MFA policy to:
   • Specific user groups
   • The IronWifi SSO application
4. Users will be prompted for MFA during portal login

For RADIUS Authentication

warning

Standard RADIUS protocols (PEAP, TTLS) do not natively support MFA challenges. MFA enforcement for RADIUS requires alternative approaches:

Option 1: Pre-authentication MFA

• Users must complete MFA before RADIUS authentication
• Configured at the JumpCloud policy level

Option 2: Certificate-Based (EAP-TLS)

• Use certificates instead of passwords
• MFA enforced during certificate issuance

Option 3: Time-Based Policies

• Require recent MFA completion
• Set MFA session duration in JumpCloud

Captive Portal Integration

Enable JumpCloud SSO for guest WiFi:

1. Navigate to Captive Portals > your portal
2. Go to Authentication Providers
3. Enable JumpCloud SAML
4. Select your JumpCloud connector
5. Configure post-authentication:
   • Auto-approve authenticated users
   • Create user accounts automatically
   • Set default access policies
6. Add JumpCloud domains to Walled Garden:

   *.jumpcloud.com
   console.jumpcloud.com
   api.jumpcloud.com
   sso.jumpcloud.com

7. Save portal configuration

Device Management Integration

JumpCloud can manage devices and enforce compliance.

Device Binding

Associate user devices with authentication:

1. Enable device collection in captive portal
2. JumpCloud tracks device associations via user login
3. View managed devices in JumpCloud console
4. Apply device-specific policies

Conditional Access Based on Device

1. In JumpCloud, create conditional access policies:
   • Require managed devices
   • Check device compliance status
   • Enforce OS versions
2. Apply policies to IronWifi SSO application
3. Non-compliant devices are denied access

Advanced Configuration

Custom User Attributes

Map custom JumpCloud attributes to IronWifi:

1. In JumpCloud, create custom user attributes
2. In IronWifi connector, add attribute mappings:
   • JumpCloud custom attribute → IronWifi custom field
3. Use attributes for:
   • VLAN assignment
   • Bandwidth limits
   • Custom policies
4. Save and sync

Dynamic Group Assignment

Automatically assign users based on JumpCloud attributes:

1. Create attribute-based groups in IronWifi
2. Configure rules based on:
   • Department
   • Location
   • Job title
   • Custom attributes
3. Users automatically move between groups based on JumpCloud data

Password Policies

JumpCloud password policies apply to WiFi authentication:

1. Set password complexity in JumpCloud
2. Configure expiration policies
3. Enforce password rotation
4. Users must update passwords in JumpCloud
5. New passwords sync automatically for authentication

Testing the Integration

SAML Testing

1. Open captive portal URL
2. Click JumpCloud login button
3. Enter JumpCloud credentials
4. Complete MFA if required
5. Verify redirect back to portal
6. Confirm WiFi access granted
7. Check user session in IronWifi logs

RADIUS Testing

1. Configure device for WPA-Enterprise:
   • SSID: Your network name
   • Security: WPA2-Enterprise
   • Authentication: PEAP-MSCHAPv2 or TTLS-PAP
2. Enter JumpCloud username and password
3. Attempt connection
4. Verify authentication in both:
   • IronWifi authentication logs
   • JumpCloud RADIUS logs
5. Test with different user accounts

LDAP Testing

1. Create test user in JumpCloud
2. Assign to LDAP group
3. Configure test device to use LDAP credentials
4. Verify connection in IronWifi logs
5. Check LDAP bind logs in JumpCloud

User Sync Testing

1. Create test user in JumpCloud
2. Add custom attributes
3. Assign to groups
4. Run manual sync in IronWifi
5. Verify user appears with correct:
   • Basic attributes
   • Custom attributes
   • Group memberships

Troubleshooting

SAML Authentication Errors

Error: Invalid SAML Response

• Verify ACS URL matches in both systems
• Check Entity ID is correct
• Ensure certificate is valid
• Verify signature algorithm (RSA-SHA256)

Error: User Not Found

• Confirm user is assigned to IronWifi app
• Check attribute mapping (email required)
• Verify user status is active
• Review NameID format configuration

Error: Invalid Signature

• Re-download certificate from JumpCloud
• Check certificate expiration date
• Verify certificate format (PEM/X.509)
• Ensure no extra whitespace in certificate

MFA Timeout

• Increase MFA timeout in JumpCloud
• Check user has MFA configured
• Verify push notification delivery
• Try alternative MFA method

User Sync Issues

No Users Syncing

• Verify API key is correct and active
• Check API permissions
• Confirm organization ID is correct
• Test API connectivity
• Review network/firewall rules

Partial User Sync

• Check user filter settings
• Verify suspended user inclusion setting
• Review attribute data completeness
• Check sync logs for specific errors
• Verify users meet filter criteria

Attributes Not Syncing

• Confirm attributes exist in JumpCloud
• Check attribute mapping configuration
• Verify custom attributes are populated
• Review field name case sensitivity

Group Mapping Not Working

• Verify group names match exactly (case-sensitive)
• Enable auto-create groups option
• Check that users are in groups in JumpCloud
• Review group assignment timing

RADIUS Authentication Failures

Authentication Rejected

• Verify RADIUS server IP is correct
• Check shared secret matches exactly
• Confirm user has RADIUS access in JumpCloud
• Test credentials in JumpCloud portal
• Review authentication method compatibility

Connection Timeout

• Check network connectivity to JumpCloud RADIUS
• Verify firewall allows UDP 1812/1813
• Test with radtest or similar tool
• Check for NAT/routing issues
• Verify JumpCloud RADIUS server status

User Not Authorized for RADIUS

• Confirm user assigned to RADIUS server
• Check user group has RADIUS access
• Verify user account is active
• Review RADIUS user group assignments

Certificate Validation Errors

• Ensure trusted root certificates installed
• Verify certificate chain is complete
• Check certificate hasn't expired
• Disable certificate validation for testing

LDAP Authentication Issues

Bind Failed

• Verify LDAP server URL is correct
• Check bind DN format
• Confirm bind password is correct
• Test with LDAP browser tool
• Verify user has LDAP access in JumpCloud

User Not Found

• Check search base is correct
• Verify search filter syntax
• Confirm user exists in JumpCloud
• Check organizational structure
• Review user's DN path

TLS/SSL Connection Failed

• Verify using ldaps:// for secure connection
• Check port 636 is open
• Ensure valid SSL certificate
• Try non-SSL port 389 for testing

Performance Issues

Slow SAML Authentication

• Check network latency to JumpCloud
• Verify DNS resolution
• Review MFA timeout settings
• Check JumpCloud service status

Sync Taking Too Long

• Reduce sync frequency
• Implement user filters
• Check API rate limits
• Review user count vs sync interval

RADIUS Timeouts

• Check RADIUS server response time
• Verify network path latency
• Review firewall/NAT configuration
• Test with alternative RADIUS server

Security Best Practices

1. Use API Keys Securely

   • Store API keys encrypted
   • Rotate keys regularly
   • Use separate keys per integration
   • Never commit keys to version control

2. Enable MFA

   • Require MFA for all administrative access
   • Enforce MFA for WiFi authentication where possible
   • Use push notifications for better UX

3. Implement Least Privilege

   • Grant minimal API permissions needed
   • Use service accounts for automation
   • Restrict RADIUS access by user group
   • Limit LDAP access to necessary users

4. Secure RADIUS Configuration

   • Use strong, random shared secrets (32+ characters)
   • Restrict source IPs for RADIUS authentication
   • Enable RADIUS accounting for audit trail
   • Rotate shared secrets periodically

5. Monitor and Audit

   • Review authentication logs regularly
   • Set up alerts for failed authentications
   • Monitor sync failures
   • Audit user access periodically

6. Use Encrypted Connections

   • Use LDAPS (LDAP over TLS) not plain LDAP
   • Verify TLS certificates
   • Ensure captive portal uses HTTPS
   • Enable RADSEC where supported

7. Implement Password Policies

   • Enforce strong password requirements
   • Enable password expiration
   • Require password rotation
   • Prevent password reuse

8. Device Compliance

   • Require managed devices where possible
   • Enforce OS update policies
   • Check device compliance status
   • Block non-compliant devices

9. Regular Maintenance

   • Keep connectors updated
   • Review and update group mappings
   • Test authentication flows regularly
   • Document configuration changes

10. Backup Configuration

    • Document all integration settings
    • Export user and group mappings
    • Save API keys in secure vault
    • Maintain disaster recovery plan

Rate Limits and Quotas

Be aware of JumpCloud API limits:

Resource	Free Tier	Premium
API Calls	1,000/hour	Higher limits
Users	10	Unlimited
Groups	Unlimited	Unlimited
SAML Apps	10	Unlimited
RADIUS Users	10	Unlimited

Tips to avoid rate limiting:

• Adjust sync frequency based on user count
• Use incremental sync where available
• Monitor API usage in JumpCloud console
• Cache user data appropriately

Migration from Other Identity Providers

From Active Directory

1. Export users from AD
2. Import into JumpCloud
3. Configure password sync or reset
4. Test authentication
5. Update IronWifi connector
6. Migrate users in phases

From Azure AD

1. Use JumpCloud's Azure AD sync
2. Configure attribute mapping
3. Test user authentication
4. Update SAML configuration
5. Switch over during maintenance window

From Okta/OneLogin

1. Export user list from existing IdP
2. Import users into JumpCloud
3. Configure SAML in parallel
4. Test with pilot group
5. Switch DNS/URLs to cut over
6. Monitor for issues

Support Resources

• JumpCloud Documentation
• JumpCloud API Reference
• JumpCloud Community
• JumpCloud RADIUS Guide
• JumpCloud LDAP Guide
• IronWifi Support: support@ironwifi.com

Related Documentation

• OneLogin Integration
• Okta Integration
• Azure AD Integration
• Google Workspace Integration
• WPA-Enterprise Client Configuration
• Captive Portal Setup
• User Management
• Group Policies