A RADIUS server could be the missing piece of the puzzle for your organization’s network authentication. Here’s everything you need to know about RADIUS servers.
The cybersecurity landscape is constantly shifting as cybercriminals come up with clever new attack vectors. In addition to new attack vectors, the frequency of cyber attacks is increasing; a recent analysis shows that the number of cyber attacks increased by 40% from 2020 to 2021. To keep up with the times, new authentication protocols are being introduced and old ones improved constantly, such as with the RADIUS protocol.
RADIUS is an authentication protocol seeing an increasingly wide use in a range of industries. If you’re interested in implementing RADIUS in your own organization but don’t know where to begin, you’re in the right place. This is the ultimate guide for RADIUS servers and how they work.
RADIUS is an acronym that stands for “Remote Authentication Dial-In User Service”. It is also often called an AAA server, which stands for “Authentication, Authorization, and Accounting”.
RADIUS servers get the nickname AAA because it sums up what they do. They use an authentication protocol that grants or denies users access to a range of services, including Wi-Fi, VPN, and applications.
The easiest way to imagine where RADIUS fits in your network authentication system is to picture a bouncer at the door to a club. When someone tries to access a protected source, the RADIUS confirms they should have access first by checking their credentials or their certificate. Then, the RADIUS rejects or authenticates the user accordingly.
To utilize the RADIUS protocol successfully, you’ll just need a couple components:
The second part is necessary because, although it confirms whether a user should have access to a given resource, the RADIUS server itself does not store user credentials and certificates. Therefore, it needs a directory to check. Common IDPs for use alongside RADIUS include Active Directory, Azure AD, Google, and Okta.
Our bouncer at the door analogy gives you an extremely basic idea of how the RADIUS authentication process works, but let’s get a bit more technical. Now that you have the foundational knowledge, we can start building it up.
RADIUS authentication can verify users and their devices through two different methods: digital certificates and credentials (usernames and passwords). The way the RADIUS server interacts with either method varies.
Let’s say you have a username and password you use to log onto a work VPN because you’re a remote employee. With RADIUS in place for VPN authentication, you would enter your username and password as usual. Then, the RADIUS server would quickly check that information in the IDP.
The RADIUS is looking for a couple of things at this point. First, it confirms that you are an authorized user. Second, it can also determine what level of authorization you have based on what group you’re in in the IDP. For example, if you’re in your organization’s financial department, your organization may have granted you access to different resources and systems from someone in the HR department. This is called role-based access control, a cornerstone of Zero Trust Network Access (ZTNA). In the event your RADIUS server supports Identity Lookup, like our Cloud RADIUS does, it can also check identity in the IDP at the time of authentication for certificates.
Things work a bit differently if you’re using digital certificates, which are definitively more secure than credentials. For this scenario, imagine you’re the same remote worker trying to access a work VPN, except your organization uses certificates instead of credentials. When you access your VPN, instead of putting in a username and password, your device will present its certificate to the RADIUS server instead.
First, the RADIUS will check that the certificate is unexpired. If it’s unexpired, the RADIUS server will verify that your certificate is unrevoked by comparing it to a Certificate Revocation List (CRL). Provided your employer hasn’t revoked your certificate and it isn’t expired, the RADIUS server will send your network infrastructure an ACCESS_ACCEPT message, and you’ll be granted access accordingly.
In the sections above, we talked about how RADIUS can work as an authentication method for VPNs. You can also use your RADIUS server for Wi-Fi authentication. This has become very commonplace among organizations today due to the growing threats surrounding pre-shared key authentication and MITM attacks. A RADIUS server allows organizations to support WPA2-Enterprise / 802.1x, vastly increasing the strength of network security.
There are many compelling reasons why you may want to guarantee that only authorized users can tap into your Wi-Fi network. For instance, hackers can use a method called “sniffing” to passively observe traffic in a specific network if they’re able to log into it. It’s not uncommon for hackers to sit in public places that offer free Wi-Fi and do precisely that.
So, to prevent bad actors from misusing your Wi-Fi, you can use a RADIUS server. It works much the same for Wi-Fi as it does for VPNs; when someone tries to enter a username or password for your Wi-Fi, the RADIUS checks that they’re authorized to do so. Similarly, it will confirm the validity of certificates.
RADIUS Servers also play a critical role in identifying users and devices. Without a RADIUS Server, your Wi-Fi can only support the WPA2-PSK protocol, which can’t distinguish between different users since everyone uses the same pre-shared key (hence the name).
A RADIUS Server allows your Wi-Fi access policies to differentiate between users and groups. This is most commonly used to segment traffic into separate VLANs, but can become incredibly sophisticated. For example, Cloud RADIUS can deny or allow network access based on Time of Day, NAS-ID, certificate expiration date, and much more.
LDAP stands for Lightweight Directory Access Protocol. It’s basically a “language” that can be used to search some directories for information on users and devices. LDAP is especially common with older systems that “speak” LDAP, such as Active Directory. Both RADIUS and LDAP can be used for authentication, which is why there can be some confusion about the differences between them.
RADIUS and LDAP aren’t mutually exclusive. They are simply two different protocols. Servers that utilize either protocol can be named after them: RADIUS servers and LDAP servers. Above you can see an example of how RADIUS works with LDAP alongside Okta as an IDP.
Over time, LDAP has grown increasingly untenable as an authentication protocol due to its reliance on insecure credentials and ties to legacy on-premise equipment. If you’re looking to move away from LDAP, Cloud RADIUS is right for you.
The concept of RADIUS networking was born in the early 90’s, during the earliest days of dial-up internet’s golden age. Merit Network, a nonprofit organization that provides quality networking services to educational, government, and healthcare entities, requested a solution that condensed their authentication, authorization, and accounting systems.
In response, another company called Livingston Enterprises drafted the first version of Remote Authentication Dial-In User Service. Initially, RADIUS primarily supported credential-based authentication, but it has changed over time to support other authentication methods such as digital certificates. This keeps it relevant within the scope of the ever-changing cybersecurity industry.
When it comes to anything in the tech industry, change happens fast. It’s not often that you see something stick around for decades. And yet, that’s certainly the case with RADIUS. In fact, RADIUS Servers have only now become accessible to many organizations due to the advent of the Cloud. Many organizations today have RADIUS adoption pegged as a future project.
Some replacements have been suggested, such as the Diameter protocol (another AAA protocol), but these days, Diameter is used mostly in 3G. RADIUS, on the other hand, continues to enjoy wide use in a plethora of spaces. Numerous companies, from massive enterprise-level organizations to small businesses, have integrated RADIUS servers with their infrastructure.
It’s hard to imagine that anything related to cybersecurity could remain relevant for decades. Given its age, it’s natural to question the safety of RADIUS servers in a significantly more cyberthreat-ridden time.
The good news is that RADIUS servers remain incredibly safe when they’re properly configured. They’re at their best when you use them alongside x.509 digital certificates rather than with credentials, which are always at the risk of being stolen by cyber criminals.
A breach to your organization’s network infrastructure is one of the worst things that can happen to a business today. It can have a devastating impact both to your daily operations and to your reputation with customers and clients. It’s difficult to put a number on the customer trust you may lose, but a recent study found that the average data breach costs companies $4.24 million.
With that in mind, it’s imperative to stay on top of security best practices, and that includes the way you’re authenticating people who access your resources. You don’t want just anyone getting in, and that’s something RADIUS can help you with.
A RADIUS server can ensure that only the right people are gaining access to company resources by either checking their credentials with your Identity Provider or by confirming a certificate is still valid by comparing it to a Certificate Revocation List. A RADIUS server with Identity Lookup, such as SecureW2’s Cloud RADIUS, can even go the extra mile by cross-referencing certificates with your IDP at the time of authentication – enabling a broad range of attribute-based policy enforcement options .
Another thing to consider is the value of role-based access control, which we touched on a bit previously. If your organization is trying to move to a mature ZTNA model, a RADIUS can help you get there by granting the appropriate level of network access to each user based on their credentials or certificate (or directory entry, in the case of ID Lookup).
Additionally, RADIUS servers grant your IT team some extra visibility through their event logs. This means that IT professionals are able to check the logs for any suspicious activity and respond quickly.
In short, yes, a RADIUS server is an excellent addition to your company’s network security strategy. A better question to ask yourself is whether you want to have one physically on-site or if you’re going to use a cloud-based server.
If you’ve decided to make the leap to RADIUS, you’ll have another consideration to make: whether you’re going to build one on-premise or leverage a cloud-based one like Cloud RADIUS. There are advantages and disadvantages to either system, which we’ll touch on briefly below.
An on-premise RADIUS server offers you the advantage of total control over it. After all, it’s located physically within your organization’s walls, and chances are, your staff built it themselves. This is the main attraction of an on-premise RADIUS.
Frankly, there are many more drawbacks to consider. One major area of concern is physical security. If your RADIUS server is located on-site, then you have to make sure you prevent the wrong people from physically gaining access to it.
Both bad actors and disgruntled employees could easily wreak havoc on a server if they knew how to get to it. Even people without malicious intent can accidentally damage your server if they’re allowed in its space.
People aside, there’s the risk of uncontrollable disasters, as well. Fires, earthquakes, and other types of weather could potentially damage your server or, at the very least, take it offline for a period of time.
It’s also important to consider the complications of properly configuring a RADIUS server. You could easily misconfigure it if you don’t have an IT staff with the requisite experience. Hiring consultants to aid in the setup process could help but is undeniably costly.
The costs of keeping an on-prem server add up over time. Hiring on additional personnel, maintaining the necessary physical space, and paying for the hardware are expenses that compound.
Cloud-based RADIUS servers, like our Cloud RADIUS, counter all the points made in the previous section.
For starters, you don’t have to worry about misconfiguring the server because you are basically paying for the expertise of a third party to set it up and maintain it. Should there be an issue, you can rely on that same expertise to help you resolve it. In SecureW2’s case, you’d have access to a team of RADIUS experts 24/5. Of course, if you just want to use a flexible cloud-based RADIUS server that you manage on your own, that’s also entirely possible with SecureW2’s Cloud RADIUS.
Because an experienced team has already built the RADIUS server, you’re also saving on time. Our Cloud RADIUS is essentially plug and play – it integrates with your already-existing infrastructure so you don’t have to deal with the hassle of time- and money-consuming upgrades.
Physical security concerns are also eliminated. With multiple servers located all over the world, Cloud RADIUS has redundancy baked right into it. As a bonus, you also don’t need to find room (either in your office or in your budget) for the physical server hardware.
The only real drawback is that you don’t enjoy the same degree of control over what goes into the RADIUS server since you’re not the one building it yourself. Very stringent compliance requirements may mandate an on-prem RADIUS for liability reasons.
However, you may find this drawback to be small in comparison to the difficulty of configuring a RADIUS from scratch. We’ll give you an example.
Windows is ubiquitous in modern business environments, so one of the most widely applicable examples of RADIUS configuration would be a RADIUS server for Active Directory (AD). In this scenario, many people use Microsoft’s own NPS (Network Policy Server) as a RADIUS server. We’ll give you a quick overview of how NPS can work with AD, but there are many official Microsoft guides you can check out for more information. We will link to a couple of them below.
There are a lot of steps you’ll need to take prior to getting your NPS server set up with its RADIUS clients. Here’s a short list of the things you’ll need to have established before tackling this configuration:
If you’ve completed these objectives, you’re ready to get to the nitty-gritty of it: configuring your NPS server with its RADIUS clients. We’ll give you a quick walkthrough of that process.
Configuring a RADIUS client with NPS is a time-consuming process. Each of the prerequisites mentioned above have their own guides with multi-step processes that take a high degree of IT expertise.
Once you’ve accomplished the prerequisites, you’ll need to go into the Server Manager tool and set up your RADIUS clients with NPS. Again, this is a multi-step process that requires IT knowledge. Without that knowledge and experience, the odds are high that a mistake will be made in the configuration.
There is an easier way: Cloud RADIUS. With Cloud RADIUS, you can have as much of a hand in the configuration as you want to. You can go in-depth with the customization, or leverage our team’s extensive experience to smoothly configure your RADIUS server to your organization’s unique needs.
NPS is just one example of a RADIUS server you might self-configure if you were setting a server up yourself. As you can see, however, there are a lot of steps involved. Without the proper experience and expertise, it’s all too easy to misconfigure your RADIUS server.
An improperly configured RADIUS server is more of a security liability than it is a strength. You can skip the headache of self-configuration by using RADIUS-as-a-service options like our best-in-class Cloud RADIUS. Best of all, Cloud RADIUS can seamlessly integrate with a range of vendors, so you’re not just limited to Microsoft.
If you want to learn more about how flexible Cloud RADIUS can be, check out this story about how one of our customers used it to authenticate both employees and contractors with BYODs.