RADIUS Authentication: How It Works
A network is only as strong as its security, and enterprises that conduct business online need to ensure their network security is as strong as possible. WPA2-Enterprise with 802.1x is the gold standard for wireless authentication, and RADIUS servers play an integral part.
What is RADIUS?
Remote Access Dial-In User Service, or RADIUS, is a client-server mechanism that secures the connection between users and clients and ensures that only approved users can access the network. RADIUS acts like the bouncer, with your network being the club. RADIUS Servers are also known as “AAA” servers because they provide the following:
- Authentication: The process determining if a user requesting network access is an active and approved user.
- Authorization: Once a user is authenticated, RADIUS determines how much access they are granted on the network. Based on security policies set by network admins.
- Accounting: Monitoring and logging everything an approved user does on the network.
The RADIUS server ultimately decides who is allowed to access the network and how much access that is available to them. This is significantly more secure than using a Pre-Shared Key (PSK) like on our Wi-Fi networks at home for a variety of reasons. Next we will go over how the RADIUS Authentication process works, and what makes it so secure.
The RADIUS Authentication Process
Authentication and Authorization can happen simultaneously: the RADIUS verifies the user (authenticate) and checks what network policies are assigned to the user (authorize). We’ve provided a general breakdown of the authentication process:
- The user inputs their network credentials, or presents an x.509 Digital Certificate, attempting to connect to a network. This is then forwarded to the RADIUS Server.
- The client (end user) sends an Access-Request message containing the authentication method and the RADIUS shared secret to the RADIUS server.
- The RADIUS server verifies the RADIUS client with the shared secret. Then, the RADIUS server verifies the authentication method.
- The RADIUS server runs on TLS and can be configured to authenticate users with EAP-TLS, EAP-TTLS-PAP, or PEAP-MSCHAPv2. We’ll cover this more below.
- In the case of credential-based authentication, the server compares the user credentials against the user database verifying that the user is active. In the case of certificate-based authentication, it verifies the user’s client certificate against the Root Certificate Authority.
- No matching credentials means the RADIUS server responds with an Access-Reject message.
- After verification, the server then checks for any access policies or profiles matching the user credentials.
- If the server finds a matching policy, it will send an Access-Accept message back to the RADIUS client.
- The message contains the same shared secret and a FilterID, which tells the RADIUS client which RADIUS group the user is assigned.
- The user is both authenticated and authorized, completing the process and granting the user network access.
Is RADIUS Authentication Secure?
Yes! However, it depends on which authentication protocol your organization uses. As stated before, the three most common protocols organizations use for 802.1x are credential-based PEAP-MSCHAPv2 and EAP-TTLS-PAP and certificate-based EAP-TLS.
Authenticating with x.509 certificates is the most secure form of authentication since certificates are themselves encrypted, protecting the input information from malicious actors even if the certificate falls into their hands.
RADIUS Authentication Protocols
The authentication protocol is a major player for RADIUS and we’ve broken down the three most common methods.
TTLS-PAP is a credential-based authentication protocol with its main draw being the encrypted tunnel when a client and server connect. While encrypting a tunnel is well and good, many cyber attacks, most notably the man-in-the-middle attack, can just impersonate a server or client and connect with its victim, rendering the encrypted tunnel useless.
Further, more EAP-TTLS-PAP sends user credentials using CLEARTEXT meaning those credentials aren’t encrypted and malicious actors can obtain login credentials. If the network authenticates with a password that is shared among the office, the entire network is vulnerable to data theft.
PEAP-MSCHAPv2 is a Microsoft protocol and thus the authentication method that was designed to be used for Windows and AD-Domain environments. Just like TTLS-PAP, PEAP is a credential-based authentication method and again, just like TTLS-PAP, PEAP suffers from a glaring vulnerability. There is a well-known weakness in PEAP’s encryption method, which can be exploited and the network is still at risk for credential theft.
EAP-TLS is the only certificate-based authentication protocol and is widely known for its strong security measures. Digital certificates are cryptographic keys and encrypt user information. Networks configured for EAP-TLS means that both clients and servers are equipped with certificates to more easily identify approved users and automatically grant them network access. Furthermore, EAP-TLS completely eliminates the risk of over-the-air credential theft and it provides much higher assurance levels that the person connecting to the network actually is who they say they are.
Authenticating with Cloud RADIUS and Digital Certificates
If you want to use EAP-TLS, you will need a PKI. A Public Key Infrastructure (PKI) enables organizations to issue and manage x.509 digital certificates that can encrypt connections between end user devices and RADIUS servers. Certificates are encrypted themselves, so even if a malicious actor could obtain one, they wouldn’t be able to decrypt it. Certificates are incredibly user-friendly, automatically connecting approved devices to the wireless network. Network segmentation is also improved as admins can more efficiently categorize users based on their standing in the company.
Cloud RADIUS is paired with SecureW2’s Managed PKI for the exact reason of making it really really easy for organizations to secure their RADIUS Authentication with EAP-TLS. It gives organizations a one-stop shop to set up WPA2-Enterprise and 802.1x EAP-TLS for secure wireless authentication.
Is RADIUS UDP or TCP?
By default, RADIUS transports using UDP. But in 2012, the Internet Engineering Task Force (IEFT), an organization that develops Internet Protocol standards, released RFC 6613, allowing RADIUS to use TCP protocol for TLS.
The main difference between UDP and TCP is that UDP is a connectionless protocol and TCP is connection-oriented. One of the disadvantages of TCP is that it requires more bandwidth because of the connection. While UDP’s connectionless protocol may seem like a security risk, organizations that authenticate with EAP-TLS are protected.
Does RADIUS Use LDAP?
Yes, RADIUS can use the LDAP protocol to communicate with servers designed for LDAP communication. Active Directory (AD) is a widely-used platform that uses LDAP for authentication purposes. However, AD is notorious for its lack of flexibility when it comes to cloud computing services. Luckily, SecureW2’s Cloud RADIUS makes it easy for AD-domain admins to bridge the gap from on-prem to cloud.
What is the Default RADIUS Authentication Port?
By default, the RADIUS server uses UDP 1812 for authentication and authorization and 1813 for accounting as defined by the IETF, but can also use 1645 and 1646.
Securely Authenticate Users with SecureW2’s Cloud RADIUS
RADIUS is a key security feature for WPA2-Enterprise and 802.1x. Networks can configure secure authentication for Wi-Fi, VPN, Email, and much more using RADIUS. SecureW2’s Cloud RADIUS makes the process of RADIUS implementation super easy because Cloud RADIUS comes with SecureW2’s turnkey PKI. In a matter of hours, network admins can integrate their networks to set up RADIUS authentication.
SecureW2’s software automates certificate enrollment and device onboarding, removing the end user from the equation. Plus, Cloud RADIUS comes at an affordable price, making it a cost-effective business solution.