Can I Use 2FA/MFA with a RADIUS server?
In this article we will go over how you can use Multi-Factor Authentication (MFA) to strengthen your RADIUS server.
When attempting to strengthen your network security, a general rule of thumb is that the more sophisticated the system you have in place, the more secure your network is. This method of thinking is certainly employed with Multi-Factor Authentication (MFA). Sometimes referred to as Two Factor Authentication (2FA), MFA is exactly what it sounds like – a method of authentication that requires the user to present more than one form of identification.
The three pillars of MFA authentication are:
- Something you know (a password)
- Something you are (a fingerprint)
- Something you have (a physical authorization token / security key).
The advantage of MFA is that each layer of authentication adds more difficulty to potential threats looking to infiltrate a network.
If you are looking to further strengthen your network’s security, many research whether you can use MFA with a RADIUS server. MFA can be a powerful tool; however, it’s imperative to know its functions in order to properly implement it into your network.
Can I Use MFA to Secure VPN-RADIUS Authentication?
Recently, Homeland Security issued a warning that VPNs are being targeted by credential theft attacks. This is exactly why MFA is necessary for VPN Security. However, what’s not clear is how MFA/2FA should be used if you’re using a RADIUS server to secure your VPN authentication.
You can use MFA/2FA with a RADIUS-hardened VPN authentication in two ways:
- During the authentication process by using:
- An authenticator app (such as Google Authenticator) where the user inputs a time-sensitive code when they want to use their VPN.
- A security key (like a YubiKey) that contains a private key or certificate paired with the user identity.
- During the enrollment process by using:
- Onboarding software, so users are required to use some form of 2FA/MFA (key, authenticator app, SMS) in order to obtain a x.509 Certificate that will give them VPN access.
Should I Use MFA to Authenticate VPN Users?
VPNs are essential in modern times and are a convenient way to allow individuals to access internal applications from anywhere. However, organizations often make the mistake of providing users with nothing more than a username and password to access the VPN.
A great use for MFA is protecting your organization’s VPN.
Login credentials can easily be lost or stolen, which is a nightmare for organizations that now have to deal with a thief who can potentially access their data from anywhere in the world.
With an authenticator application such as Google Authenticator, you can make sure that the person using the VPN is exactly who they say they are, as they are forced to enter in a time-sensitive code which should only be accessible by the certified user.
Moreover, you can further enhance your security by using a security key such as YubiKey for MFA. This almost completely eliminates the possibility of stolen credentials being used maliciously and ensures that the intended user is present. SecureW2 even allows users to use a YubiKey that contains a certificate authenticated by your RADIUS server for an even more secure MFA solution.
Should I Use MFA to Onboard Users to My Wireless Networks?
While you can’t use MFA to authenticate users to your Wi-Fi network, you can set up any MFA that’s supported by your identity provider when enrolling a new device for RADIUS authentication.
For example, a user enrolling for certificate-based RADIUS authentication would be enrolled by entering credentials and another factor of authentication, such as a fingerprint scan. This extra step would put the risk of a malicious attacker obtaining IDP credentials and gaining a certificate to nearly zero.
If you’re using Wi-Fi, you should certainly use some type of MFA during your network’s enrollment process. However, organizations using SecureW2 don’t need to do this because they have full visibility into the onboarding logs in the management portal, so they can see if a certificate was issued to an unknown device.
Delivering 2FA/MFA With Cloud RADIUS
One of the benefits of using SecureW2’s Cloud RADIUS is the fact that you can easily integrate your MFA of choice into the onboarding process. Many other RADIUS server providers request the users credentials, which is simply an inferior method of security. We recommend enrolling YubiKey with a certificate as a replacement for MFA codes. The private key generation on the YubiKey makes the key extremely secure and verifies that the intended user is present.
If you want to ensure that your network security is using every tool available, we can help you easily implement the defensive strategy you’re looking for in no time at all, Click here to see our pricing.