The only Cloud RADIUS solution that doesn’t rely on legacy protocols that leave your organization susceptible to credential theft.
RADIUS is an acronym that stands for ‘Remote Authentication Dial-In User Service’. It’s also sometimes referred to by the service it provides as an ‘AAA’ or an ‘AAA Server’. AAA is an initialism that represents “Authentication, Authorization, Accounting”. A RADIUS server centralizes and manages these three tasks to securely authenticate remote users for network access. Although the exact method the server uses to accomplish this differs depending on the surrounding network ecosystem, it is at its core a client-server protocol that controls access to a network. A more easily understandable metaphor is this – the RADIUS server is a gate guard who checks the ID of the person wanting to go through, then checks the list of approved persons to be certain they’re authorized before allowing them access.
RADIUS servers can also be hosted in the cloud, such as our own Cloud RADIUS. Instead of hosting on a physical server, you can outsource the infrastructure to a virtual server hosted elsewhere, then access the services via the Internet.
A decade or so ago, the slow and unreliable internet speeds that were common would have prohibited cloud-based servers. That’s no longer the case – many services are moving to the cloud because it’s both simpler and more cost-effective.
While RADIUS does not necessarily require the use of certificates, it absolutely supportsthem and certificates are highly preferable to credentials.
Unlike credentials, certificates are tied to the identity of either a person or device.You know exactly who (or what) is accessing the network, and when and where they’re doing.
Certificates cannot be compromised by an over-the-air attack, like man-in-the-middle attacks. They’re impossible to crack because of their public-private key cryptography foundation, and our industry-unique CertLock solution keeps them from being stolen from devices.
Certificates create a universally better user experience. They eliminate the need to remember login information – which also prevents the need for password-reset policies and all the hassles that entails. Certificates also authenticate faster than credentials.
If you are considering a RADIUS server, you are either already on WPA2-Enterprise or are considering the switch. Both scenarios represent a perfect opportunity to set up the EAP-TLS network authentication protocol to enable you to use digital certificates in placeof credentials.
Once your network is running on EAP-TLS, you can use certificates to authorize network access.
A commonly held misconception is that issuing certificates and enrolling devices to use them is a process so cumbersome that it’s not worth the benefit. While that may have been true in the past, our world-class onboarding software allows you to push automatic-enrollment configs to either managed devices or BYOD devices, which can then self-enroll in minutes.
This solution, provided by our parent company SecureW2, dramatically reduces the burden on IT and makes switching to EAP-TLS and certificates a no-brainer. Click here to check out our pricing.
In order to get the most out of your Cloud RADIUS servers you’ll want to use certificate-based authentication – and for that, you need a PKI.
PKI (Public Key Infrastructure) is the foundation that allows you to issue, revoke, and otherwise manage digital certificates. There are a few key components (identity provider,certificate revocation list, etc.) that comprise a PKI, but the RADIUS server is the only part that directly interfaces with the end user.
Many organizations already have an existing PKI and, when searching for a RADIUS to complement it, need to be sure that they RADIUS is compatible. Cloud RADIUS can integrate with every major IdP – such as AD or LDAP – as well as every major access point.
If you are missing some or all of the components of a PKI, our parent company SecureW2 can fill in the gaps. In addition to Cloud RADIUS, we host all the necessary services to construct a PKI in cloud-format, offering unparalleled convenience and speed. You could be issuing certificates in a matter of hours.
Identity Lookup is a security mechanism that allows a RADIUS server to look up a users identity in real time during the authentication phase.
In Active Directory there is a specific attribute called userAccountControl that is checked by the RADIUS server to perform the Identity Lookup:
Typically, with older RADIUS servers, the two values for the userAccountControl attributeare used to create an If-then statement to perform an Identity Lookup. With CloudRADIUS, Identity Lookup is automatically configured for you.
What happens if my RADIUS Server isn’t able to perform an Identity Lookup? This is a great question, because some RADIUS Servers, if unable to perform an Identity Lookup,will not authenticate users. This leads to a terrible user experience, of course, since we are all entitled to internet access. This is solved by Failing Open, which is an option on most RADIUS Servers. This allows network access to users, even if the RADIUS Server isn’t able to perform an Identity Lookup.
With other RADIUS Servers, Identity Lookup is only supported with Active Directory (LDAP), and not with newer Cloud-based Identity Providers that use the SAML protocol. CloudRADIUS is the only vendor in the industry to provide Identity Lookup for both LDAP and SAML Identity Providers.
Of course, the most important part of setting up your RADIUS server is integrating it into the Wi-Fi infrastructure.
Our Cloud RADIUS supports every major access point and controller, including:
Integrating with Cloud RADIUS is dead simple with our intuitive and powerful management suite. Just copy the IP address, port, and private key from your access point or controller and you’re in business.