A Complete Guide to RADIUS Servers

The only Cloud RADIUS solution that doesn’t rely on legacy protocols that leave your organization susceptible to credential theft. 

What is a RADIUS Server?

RADIUS is an acronym that stands for ‘Remote Authentication Dial-In User Service’. It’s also sometimes referred to by the service it provides as an ‘AAA’ or an ‘AAA Server’. AAA is an initialism that represents “Authentication, Authorization, Accounting”. A RADIUS server centralizes and manages these three tasks to securely authenticate remote users for network access. Although the exact method the server uses to accomplish this differs depending on the surrounding network ecosystem, it is at its core a client-server protocol that controls access to a network. A more easily understandable metaphor is this – the RADIUS server is a gate guard who checks the ID of the person wanting to go through, then checks the list of approved persons to be certain they’re authorized before allowing them access.

Advantages of Cloud RADIUS Servers

RADIUS servers can also be hosted in the cloud, such as our own Cloud RADIUS. Instead of hosting on a physical server, you can outsource the infrastructure to a virtual server hosted elsewhere, then access the services via the Internet.

A decade or so ago, the slow and unreliable internet speeds that were common would have prohibited cloud-based servers. That’s no longer the case – many services are moving to the cloud because it’s both simpler and more cost-effective.

Using Cloud RADIUS has some key benefits:

  • You don’t need to run your own RADIUS server. Neither the physical equipment (server room, computers, etc.) nor the setup and maintenance of the networking infrastructure are necessary – it can all be handled virtually.
  • Cloud-hosted solutions are cheaper than setting up local ones. You skip the cost of setup and spend virtually no time on maintenance.
  • Hosting a server in the cloud is more secure for a number of reasons. Being separated from the premises removes the opportunity for physical penetration. Additionally, the scale of the operation ensures that there are dedicated experts managing the service, an upgrade from just handing the responsibility off to whatever IT guy is around.
  • While redundancy is a necessary consideration for on-site RADIUS servers, it’s a given for cloud-hosted servers. By their very nature they are hosted online and stored in a physical location; our Cloud RADIUS is always available through our robust management interface.
  • On-site servers are heavily dependent on regular maintenance and constant vigilance to stay online, unlike cloud servers. Our Cloud RADIUS servers are built on AWS, servers that have a 99.99% uptime.

Do RADIUS Servers Support Certificates?

While RADIUS does not necessarily require the use of certificates, it absolutely supportsthem and certificates are highly preferable to credentials.

Unlike credentials, certificates are tied to the identity of either a person or device.You know exactly who (or what) is accessing the network, and when and where they’re doing.

Certificates cannot be compromised by an over-the-air attack, like man-in-the-middle attacks. They’re impossible to crack because of their public-private key cryptography foundation, and our industry-unique CertLock solution keeps them from being stolen from devices.

Certificates create a universally better user experience. They eliminate the need to remember login information – which also prevents the need for password-reset policies and all the hassles that entails. Certificates also authenticate faster than credentials.

EAP-TLS and Cloud RADIUS

If you are considering a RADIUS server, you are either already on WPA2-Enterprise or are considering the switch. Both scenarios represent a perfect opportunity to set up the EAP-TLS network authentication protocol to enable you to use digital certificates in placeof credentials.

Enroll Users for Certificates

Once your network is running on EAP-TLS, you can use certificates to authorize network access.

A commonly held misconception is that issuing certificates and enrolling devices to use them is a process so cumbersome that it’s not worth the benefit. While that may have been true in the past, our world-class onboarding software allows you to push automatic-enrollment configs to either managed devices or BYOD devices, which can then self-enroll in minutes.

This solution, provided by our parent company SecureW2, dramatically reduces the burden on IT and makes switching to EAP-TLS and certificates a no-brainer. Click here to check out our pricing.

Integrating Cloud RADIUS Servers with PKIs

In order to get the most out of your Cloud RADIUS servers you’ll want to use certificate-based authentication – and for that, you need a PKI.

PKI (Public Key Infrastructure) is the foundation that allows you to issue, revoke, and otherwise manage digital certificates. There are a few key components (identity provider,certificate revocation list, etc.) that comprise a PKI, but the RADIUS server is the only part that directly interfaces with the end user.

Many organizations already have an existing PKI and, when searching for a RADIUS to complement it, need to be sure that they RADIUS is compatible. Cloud RADIUS can integrate with every major IdP – such as AD or LDAP – as well as every major access point.

If you are missing some or all of the components of a PKI, our parent company SecureW2 can fill in the gaps. In addition to Cloud RADIUS, we host all the necessary services to construct a PKI in cloud-format, offering unparalleled convenience and speed. You could be issuing certificates in a matter of hours.

Identity Lookup

Identity Lookup is a security mechanism that allows a RADIUS server to look up a users identity in real time during the authentication phase.

In Active Directory there is a specific attribute called userAccountControl that is checked by the RADIUS server to perform the Identity Lookup:

  • If userAccountControl = 66048; user is enabled
  • If userAccountControl = 66050; user is disabled

Typically, with older RADIUS servers, the two values for the userAccountControl attributeare used to create an If-then statement to perform an Identity Lookup. With CloudRADIUS, Identity Lookup is automatically configured for you.

Failing Open

What happens if my RADIUS Server isn’t able to perform an Identity Lookup? This is a great question, because some RADIUS Servers, if unable to perform an Identity Lookup,will not authenticate users. This leads to a terrible user experience, of course, since we are all entitled to internet access. This is solved by Failing Open, which is an option on most RADIUS Servers. This allows network access to users, even if the RADIUS Server isn’t able to perform an Identity Lookup.

SAML vs LDAP

With other RADIUS Servers, Identity Lookup is only supported with Active Directory (LDAP), and not with newer Cloud-based Identity Providers that use the SAML protocol. CloudRADIUS is the only vendor in the industry to provide Identity Lookup for both LDAP and SAML Identity Providers.

Integrating Cloud RADIUS Servers with Wi-Fi Infrastructure

Of course, the most important part of setting up your RADIUS server is integrating it into the Wi-Fi infrastructure.

Our Cloud RADIUS supports every major access point and controller, including:

  • Meraki
  • Okta
  • Cisco
  • And more!

Integrating with Cloud RADIUS is dead simple with our intuitive and powerful management suite. Just copy the IP address, port, and private key from your access point or controller and you’re in business.