How to Secure Remote RADIUS Authentication
How do you use RADIUS to authenticate an increasingly remote workforce?
There’s no denying it: working remotely is poised to become the norm. It cuts down on commute times and the expenses of owning or renting an office building. It also presents a range of unique challenges to organizations, such as how to provide your remote workforce access to company resources without putting those same resources at risk of compromise. This is doubly true when you consider the fact that employees will likely end up using some personal devices for work while they are at home.
Integrating a RADIUS server is one way to increase the security of your company’s resources that are being accessed remotely. Like a guard at the gate, RADIUS servers verify that credentials or certificates presented to them come from valid users and devices.
That still leaves one question to be answered: how exactly does remote RADIUS authentication work, and is it really secure? In this post, we’ll take a high-level look at using RADIUS to authenticate remote employees and secure your network or VPN.
What is Remote RADIUS Authentication?
The letters in RADIUS form an acronym that means Remote Authentication Dial-In User Service. If you’re wondering what remote RADIUS authentication is, there are a few ways to answer the question. The first and easiest answer is that it’s simply the first two letters of RADIUS.
The reason it’s called remote authentication is because RADIUS is a networking protocol that allows users to authenticate somewhere virtually. RADIUS servers, at a very basic level, just check a user’s credentials to ensure they’re valid. They permit valid users to access a particular network and deny invalid users.
Remote RADIUS authentication may also refer to a cloud-based RADIUS server like our own Cloud RADIUS. RADIUS servers can be set up on-premise, if you’re willing to invest the time and money it takes to maintain one. Cloud-based servers like our Cloud RADIUS, however, eliminate many of the expenses associated with maintaining a physical server and can also integrate with both on-prem and cloud network resources.
Finally, remote RADIUS authentication can be a reference to a RADIUS server (very likely a cloud RADIUS) that’s used for VPN authentication. This is a common setup for organizations with remote employees, as VPNs also make it possible for remote employees to access resources on your network. We’ll take a closer look at how VPNs and RADIUS can work together below.
How RADIUS and VPNs Complement Each Other
RADIUS servers and VPNs are a match made in heaven. To understand why they work so well for remote workforces, we’ll use a simple analogy.
The easiest way to think of a RADIUS is to imagine a guard at a gate. When someone attempts to access your network – or get through the gate in the analogy – they must present the guard some kind of proof of identity. This usually takes the form of a username/password combo (credentials) or a certificate.
The RADIUS cross references the individual’s proof of identity with a directory of users. If the user’s credentials or certificate are valid, they will be let through the “gate” and onto the network.
Use of a RADIUS server increases the security of VPNs by ensuring each person who logs into the VPN is a valid user. However, the VPN also adds an additional layer of security by providing an encrypted “shield” for the traffic as the user accesses the network. To go with our previous analogy, it would be like the user wearing a disguise before and after proving their identity and passing through the gate, so potential spies watching can’t see who they are or what they’re doing.
There’s still a flaw in this system, though. Using a credential-based authentication system with RADIUS and VPN is only a small step up. Credentials are a massive security liability for any business. They can be easily stolen through intentional malicious activity, like man-in-the-middle attacks or snatched through employee negligence. It would be like a merchant passing through our analogical gate and saying a password out loud to the guard – bad actors would be able to easily see they were a person of interest, and listen closely for the password.
Even assuming your employees all maintain perfect password hygiene (quite a tall order), there’s no denying how annoying keeping track of all your credentials can be. With many password policies causing passwords to expire every 90 or so days, employees may quickly become irritated at the prospect of having to come up with a new, unique, and complex password every three months.
That begs the question: if using a RADIUS server in tandem with a VPN isn’t enough, then what is?
Using Certificate-Based RADIUS Authentication for VPN
The way to truly step up your RADIUS and VPN game is through use of EAP-TLS. EAP-TLS is the most secure 802.1X protocol because it requires the use of certificates for authentication as opposed to credentials.
To understand how this method is more secure, let’s go back to our guard at the gate analogy. If you were using credentials, you would need to tell the guard your password and they would need to check it before letting you in. In this scenario, it could potentially be easy for a bystander to “overhear” and steal the password.
A certificate, on the other hand, is like flashing an ID badge at the guard. This badge proves your identity but cannot be stolen or transferred.
There are numerous benefits to certificates as opposed to credentials. First, employees aren’t required to deal with the hassle of remembering yet another username and password on top of all the others they have. They also won’t need to struggle to come up with new passwords due to frequent password expiration policies.
Additionally, because there is no password to steal, you won’t need to worry about the risk of credentials being compromised. If someone were to somehow intercept a certificate, they wouldn’t be able to do anything with it, as certificates are encrypted.
Another huge benefit to certificates is the fact that they’re tied to specific devices or users. This makes it a simple matter for you to be aware of anyone who’s connected to your network.
SecureW2 makes it easy to implement certificate-based authentication, including a PKI that you can integrate with your infrastructure with no forklift upgrades. Every step of the certificate lifecycle, from issuing to revoking, is made simple by our user-friendly certificate management system.
Secure Remote RADIUS Authentication: A Perfect Match with Your VPN
Authenticating your remote employees’ identities is a simple matter with RADIUS. RADIUS servers can ensure that only valid users are accessing network resources, whether that means your company’s wireless network, applications, or a VPN.
To truly heighten your network security, consider combining a RADIUS server and certificate-based authentication. SecureW2 is the only company in the industry that offers a Cloud RADIUS and turnkey PKI services, as well as everything you’ll need to integrate them with your current infrastructure. Click here to learn more about how one company used SecureW2’s services to fortify their VPN connection.