Installing a Web-Based RADIUS Server
Is it better to operate a RADIUS in the cloud, or install a Cloud RADIUS?
To improve their wireless network’s overall security and efficiency, many organizations are moving from on-premise infrastructure to cloud-based. Operating more of the network in the cloud prevents a myriad of attacks and accommodates new and better technologies.
Of course, when designing and configuring a cloud-based network, it’s vital to consider what technology will be operated in the cloud. There is a significant difference between tech that can work in the cloud and tech that is designed to work in the cloud. Below we will specifically discuss RADIUS servers and consider which option would work best: operate a RADIUS in the cloud, or use a Cloud RADIUS.
Using On-Premise RADIUS in the Cloud
Any RADIUS can technically be configured to operate using the cloud, but how is this accomplished with traditionally on-site RADIUS servers? There are several methods, but they commonly require a third party addition to accomplish the task.
Most often, the on-site RADIUS communicates with cloud infrastructure via a proxy. The end user sends their authentication information through the cloud to a proxy. That information is then transmitted from the proxy to the RADIUS where it is then authenticated. After either confirming or denying the user network access, that response is sent from the RADIUS, to the proxy, and then to the end user.
After reading the process, it would seem obvious to most that there’s a built-in inefficiency to the process. Does the addition of a proxy cause issues for the network over time?
Disadvantages of Using On-Prem RADIUS in the Cloud
There are methods to operate any RADIUS in the cloud, but before selecting an option, it’s more important to consider what the RADIUS is designed to do. All technology is designed for a specific purpose and deviating from that purpose can have consequences. It may be difficult to configure, open unforeseen vulnerabilities, or be frustratingly difficult to manage.
Any on-site RADIUS will not come natively with a cloud management portal. Network management will always be a struggle and it can create weaknesses by not knowing who is present on the network.
Additionally, an on-site RADIUS will not work natively with many cloud services. As demonstrated above, it requires significant changes and 3rd party services just to begin to operate in the cloud. If you want the entire network to transition more fully towards the cloud, on-site infrastructure could hold you back significantly.
Operating NPS in Azure Marketplace
A specific example of operating an on-site RADIUS in the cloud is configuring NPS to operate with Azure. Linked here is the process broken down by Microsoft and it demonstrates the shortcomings of making a non-cloud RADIUS operate in the cloud. The process requires a number of 3rd party additions and the result is NPS working as a proxy RADIUS; NPS is sent authentication requests that are sent to the cloud and transmitted through an intermediary for authentication.
The primary takeaways from operating NPS in Azure marketplace are a lengthy configuration process and extensive maintenance over time. As new technologies are integrated, changes and additions to the process will be required. And the most significant drawback is the lack of cloud management. Without a cloud portal, it will be incredibly hard to know what is happening on your network and how to manage it.
Cloud RADIUS Excels in the Cloud
A cloud RADIUS like SecureW2 Cloud RADIUS offers enormous advantages right out of the gate. Dynamic Cloud RADIUS integrates with any network infrastructure from major vendors, cloud and on-premise technologies. Additionally, it allows for organizations to up their authentication security game by switching from credentials to certificate-based authentication.
One of the most visible benefits is the powerful management portal provided by SecureW2. It allows complete network visibility for admins. Here you can view who is present on the network, oversee authentication events, and troubleshoot any issues remotely. It also enables robust management tools to ensure the network operates smoothly. You can implement policy settings (such as GPO), segment the network into specific user groups, and manage the entire certificate lifecycle from provisioning to revocation/expiration.
A feature unique to SecureW2’s Dynamic Cloud RADIUS is the ability to communicate directly with the IDP during authentication. This is a huge improvement for those using certificates for authentication. One of the primary benefits of certificates is how they operate with a set-and-forget attitude. When a user receives their certificate, it is usually set to expire after multiple years – compare this to passwords which are usually set to expire after a few months.
Because certificates can be configured to last years, a user’s status within an organization may be subject to change in that time. If a person were to need new network permissions, in the past they would need all their certificates on every device to be updated. With Dynamic Cloud RADIUS, you can update their settings in the IDP. During authentication, the RADIUS will communicate with the IDP and dynamically enforce policy decisions.
RADIUS is Most Effective in the Cloud
The rigidity of an on-premise RADIUS server working in the cloud is likely to cause significant slowdowns for many network admins. Lack of management tools, expensive maintenance, or new cybersecurity threats can be the result of using technology outside its express purpose. Check out SecureW2’s pricing page to see if our Dynamic Cloud RADIUS can work to move your network more into the cloud.