A Passwordless Okta Wi-Fi Security Architecture

Use your Okta policies to build a passwordless security architecture with digital certificates as a foundation. Our plug-and-play PKI makes total certificate management easy, and our powerful Cloud RADIUS service provides world-class authentication for those certificates.

Leverage the Power of Okta and Our PKI to Go Passwordless

Passwords make your network vulnerable. Our simple PKI empowers you to move beyond passwords with digital certificates - and it’s so easy to set up.

Strongly authenticate devices, networks, and apps while protecting your Azure, Okta & Google identities from compromise
Intuitive single-pane management with granular control of certificate lifecycles
Deliver both user (roles, groups) and device (ownership, type) context to every connection
Simple and secure, backed by HSM (Hardware Security Module)
Extensible usage of PKI for authentication, signing and protecting of communications

Learn More

Top-Rated Certificate Enrollment and Configuration

A major barrier to passwordless authentication is ensuring every device gets, and updates, its certificates with ease. Our JoinNow Managed Device Gateways and MultiOS Self-service software provide painless certificate enrollment and renewals.

Extensive auto-enrollment APIs including SCEP, JSON, WSTEP, EST, and more.
Self-provision certificates and device configuration (Wi-Fi/VPN/etc) in just a few clicks.
Supports iOS, Windows, macOS, Android, ChromeOS, Linux, and Kindle.
Self-Enroll and configure Security Keys, such as YubiKeys. Ship and deploy keys for desktop login with single sign-on access to Azure AD (Microsoft Entra ID).

We standardized our identity provider to be Okta and wanted all of our network authentication to be cloud-enabled. This was a simple solution because it was 100% passwordless, Okta-native, and didn’t require us to replicate our cloud directory to do RADIUS authentication for Wi-Fi and VPN.

KIM, SENIOR SYSTEMS ADMINISTRATOR

Read the Full Story

Passwordless Networks Need a Cloud-Native RADIUS Service

If you’re going to have certificates, you’ll need to authenticate those certificates. Cloud RADIUS is a RADIUS service designed specifically for passwordless authentication. Ditch legacy protocols and costly on-premise services for good.

Native integration with Azure AD for enhanced control access control
100% passwordless, no reliance on LDAP, Active Directory, or passwords
Hi-performance authentication for quicker connections and superior roaming
Factor both user and device context for granular zero trust security
Passpoint and OpenRoaming enabled
Close PKI Integration with certificate auto-revocation

Learn More

Seamless Integration with all Wi-Fi Vendors

Aruba Extreme Networks Cisco WLC Cisco Meraki Cambium Networks Aerohive Ubiquiti

How to Set Up Passwordless Wi-Fi

Managed Device Setup

Enable Zero-touch certificate distribution and renewals. Leverage all your existing MDM/EMM platforms via APIs and Gateways to provision and manage certificates.

Step 1: Configure your MDM platform with our PKI services to send out configuration profiles directing managed devices to auto-enroll for a certificate and sel-service for 802.1X.

Step 2: Cloud RADIUS will authenticate the device for Wi-Fi access by directly communicating with your Azure AD.

Unmanaged/BYOD Device Setup

Getting certificates and device configurations such as Wi-Fi onto user devices isn’t easy, self-service software makes it simple. With JoinNow MultiOS, you can empower users to self-configure their devices for certificate-based authentication in just three easy steps:

Step 1: Configure JoinNow MultiOS, a dissolvable onboarding client that directs unmanaged devices to enroll for a certificate and enable 802.1X settings.

Step 2: Configure a custom landing page that detects the device’s OS and organization to determine the right certificate to provision.

Step 3: Cloud RADIUS will authenticate the device for Wi-Fi access by directly communicating with your Azure AD.

Okta Integration Guides

Policy Enforcement Certificate Enrollment

Okta Wireless Security FAQs

How Does Your Platform Allow Users to Authenticate to Wi-Fi with Okta?

SecureW2 allows you to tie policies and data from Okta directly to your wireless authentication through EAP-TLS certificate-based authentication. Our turnkey PKI can integrate seamlessly with Okta and leverage user/device information to encode in certificate templates. Once a certificate is issued, users can authenticate to your wireless network with that certificate.

Beyond certificates, SecureW2 also provides a Cloud RADIUS server that can verify user and device information in Okta in real-time. During authentication, Cloud RADIUS can look up the information on the certificate in Okta and confirm that the user exists there. This ensures that whenever someone authenticates to your wireless network, only the most up-to-date policies will be applied to their access.

Can this be Used to Enforce Device Trust For Okta Wi-Fi Authentication?

SecureW2’s platform integrates with Okta to ensure that users and devices are authenticated against information in Okta before granting them access to the network. This is achieved through certificate-based authentication, ensuring only trusted users are granted access.

SecureW2 ensures device trust by letting you use the Okta user email ID with any MDM and enables dynamic RADIUS authentication. Our Cloud RADIUS can directly talk to the Okta IDP during authentication, ensuring any access or authorization changes made to Okta users within Okta are applied at the time of authentication.

Our PKI also has advanced integrations with Intune and Jamf Pro. With Intune and Jamf, we can verify device status within your MDM platform every 10 minutes, revoking certificates accordingly. This means that we can look up device status and the user in Okta simultaneously when they authenticate to your network, enabling real-time user and device trust.

Why Shouldn’t I Use Okta Credentials Directly to Power Wi-Fi Network Security via RADIUS Server?

Credential-based wireless network authentication is still widely used, but more secure ways exist. Credentials can be duplicated, stolen, or shared with unauthorized third parties, leaving your network vulnerable. Moreover, because anyone can use Okta credentials, there’s no visibility on who is accessing your network and resources.

Digital certificates are more secure than credentials as they are phishing-resistant. They are also known to enhance user experience through a more effortless login experience that doesn’t require entering a password when they need to connect to your SSID.

Why Should I Consider Transitioning Away from Password-Based Network Authentication?

Password-based network authentication carries the risk of attacks like MITM and phishing. Passwords are also frustrating to manage for end-users, especially when they need to remember or reuse them on their applications. However, unlike passwords, digital certificates need not be reset or supplied whenever you want to authenticate yourself. They cannot be duplicated or stolen.

Once a user receives a digital certificate, it is valid till the date stamped on the certificate, or it is manually revoked. This enhances user experience as it avoids the hassle of password resets and disconnects due to password expiration.

I Have Multi-Factor Authentication (MFA). Isn’t that Passwordless?

While multi-factor authentication is more secure than a simple username and password combination, it’s still the best security available. It’s simply not practical for wired and wireless security when users move around to different locations, requiring multiple authentications. The introduction of MFA fatigue attacks, in which hackers spam users with MFA prompts until they just give in and approve them, also puts enterprises at risk. This is why organizations like CISA have recommended certificate-based authentication over MFA for increased security.

Why Can’t We Just Use Okta CA Instead of a Full PKI?

Okta CA is traditionally built to issue certificates to its users; however, it lacks the facilities offered by a full PKI which has things like API Gateways for automated issuance for managed devices, auto-renewal, and a whole host of other features necessary for an enterprise to manage certificates day-to-day. If a certificate expires, an organization has to go through the hassle of redistributing profiles and re-issuing certificates. This is not a scalable solution for bigger organizations as it would consume much time to constantly re-issue and manage certificates.

Our Managed PKI automatically renews certificates by integrating with other parts of your infrastructure, such as your MDMs. Our API Gateways check the status of devices every 10 minutes to ensure only active, trusted devices contain certificates. For unmanaged devices and BYODs, we provide an easy self-service enrollment experience that users can complete in just a couple of minutes when they need to renew their certificate. These certificates can also be authenticated through our Cloud RADIUS server. You can also tie your Okta policies to our Cloud RADIUS server to empower superior certificate-based security and real-time authentication for your wireless network and VPN.

Can We Build Our Own PKI Instead of Using a Managed PKI?

Yes, you can build your own PKI instead of using a Managed PKI for your organization, but it is very costly and time-consuming. The initial setup of a PKI requires technical expertise, a reserved and secure space for the server, and periodic maintenance. Additionally, certificate revocation, re-issuance, and renewals take time and effort.

With a Managed PKI, like our Connector PKI, your certificates are managed seamlessly. They also tie up with your existing cloud infrastructure, like Okta, for policy management. As our PKI is cloud-based, your administrators can access it from anywhere without having to set up on-premise servers at multiple locations.

Dynamic PKI

Cloud RADIUS

JoinNow MultiOS

JoinNow NetAuth

Featured Customers

Customer Stories

Integrations

Blog