RADIUS Server Security Best Practices
Here's a set of guidelines for keeping your RADIUS server safe, secure, and healthy. Don't let your servers be at risk!
Your RADIUS server is a key component of your network security, so it’s vital that it is protected as thoroughly as anything else. After all, a chain is only as strong as its weakest link.
Many of the important security measures for RADIUS are more than just a simple adjustment of settings, however. Most of them are policy-level decisions that should be considered before the RADIUS server is deployed.
If you have a RADIUS server already, don’t fret – it’s still possible to improve your RADIUS security. It will likely take a few infrastructure changes, but Cloud RADIUS can step in and fill the gaps of your network infrastructure with zero hassle.
Here are our RADIUS server security best practices:
Use Authorization Policies to restrict user access.
Once your RADIUS server is running, the first step should be to set up authorization policies. These are profiles for specific individuals, groups, or devices that control access to network resources. It’s important to do this early on to create templates to streamline any future additions to your organization.
Authorization Policies are most commonly used to segment a network into separate VLANs (Virtual Local Area Networks). This can significantly increase security by isolating your different user groups. Most organizations we work with have their Guest Network on a separate VLAN than the rest of their users, since those users are at a higher risk of infecting other users.
An authorization profile protects your network from both internal and external threats. It limits the reach of disgruntled employees and contains the damage malicious actors can inflict if they penetrate your defenses.
Choose a Cloud RADIUS solution over on-premise servers.
Cloud solutions are more secure than on-premise solutions, and RADIUS servers are no exception.
The data centers that host cloud software are only as valuable as their security, so they invest massive capital into both physical and digital protection. They are staffed by dedicated cybersecurity experts as opposed to just handing off the responsibility to an organization’s token IT guy. Data centers are audited and penetration tested regularly. Cloud servers have inbuilt redundancy due to being hosted in multiple places.
Cloud solutions like the RADIUS servers offered here at Cloud RADIUS are hosted at data centers like the one described above. Our certificate-based authentication is just the (security) cherry on top.
Besides, building a RADIUS server (and possibly a PKI) from the ground up is an arduous, expensive process. It’s only feasible for the largest of organizations with an expansive, dedicated IT team.
By simple economy of scale, cloud solutions will always be more secure and more cost-effective than a comparable on-site setup.
Cloud RADIUS has done all the groundwork for you in order to offer a simple, powerful cloud RADIUS solution that integrates into your existing infrastructure. Our intuitive and customizable management software gives you the same degree of control as if you had built the system yourself.
Use the EAP-TLS authentication protocol and digital certificates.
This is a non-negotiable. Other common 802.1x authentication protocols (like PEAP MS-CHAP v2 and TTLS/PAP) have well-known and easily exploitable vulnerabilities. EAP-TLS unlocks the capacity to use digital certificates for network authentication.
Certificates are vastly superior to credentials (username and password), both in terms of security and user experience.
- Certificates are tied to the identity of a person or a device and can’t be separated from it. That means you always know exactly who or what is accessing the network since certificates can’t be shared like passwords.
- Certificate-based authentication removes the need to remember credentials for network access. It also eliminates the hassle of password-policy disconnects.
- Certificates can’t be stolen or intercepted, which makes them the best protection against over-the-air attacks (such as the common man-in-the-middle attack).
Switching to EAP-TLS and digital certificate infrastructure is painless thanks to SecureW2’s best-in-class software and management solutions. Enrolling devices for certificates is even easier with their device onboarding software – learn more here.
Use a private certificate authority for certificate-based authentication
For certificate creation, issuance, revocation, and management, a certificate authority (CA) is necessary. While RADIUS servers don’t inherently require the services of a CA, you’ll need one to utilize certificate-based network authentication.
CA’s come in two flavors: private and public. A private CA is one that you run yourself. Much like having an onsite RADIUS, you’ll have to host it and manage the backend yourself. Public CAs are companies that sell certificates, individually or in bundles, and manage all of the necessary infrastructure.
The pros and cons of each (which are discussed here) are fairly obvious. For organizations that only need a few certificates or don’t have any need to revoke or reissue, it might not be worth their while to set up their own certificate authority. A large organization has more need and is better able to absorb the cost.
Cloud RADIUS gives you the best of both worlds through our parent company SecureW2. Included with our industry-best RADIUS solution is a sleek and intuitive management portal that allows you to create and manage your own virtual private certificate authority with unlimited certificates, root CAs, and intermediate CAs.
Running a private CA has never been easier. SecureW2’s certificate authority solution puts all the tools in your hands at a fraction of the cost and with none of the hassle.
Use Server Certificate Validation
One of the most often overlooked steps to securing a RADIUS server is also one of the most vital. Server certificate validation is the practice of placing a certificate on the RADIUS server that the client authenticates against to confirm that it’s the genuine, original RADIUS server.
Without server certificate validation, your network is highly susceptible to man-in-the-middle attacks. It’s trivially easy to set up a spoofed server and harvest credentials from unsuspecting clients – though, if the clients are using certificates, they are useless to the attacker.
You can set up server certificate validation on your RADIUS server with or without converting your network to certificate-based authentication, but for truly ironclad protection the clients should be utilizing certificates as well.
Setting up server certificate validation is easier than you might expect. However, ensuring that all end user devices have been properly configured for server certificate validation is another story.
That’s why onboarding software has become so popular in the recent decade. When devices use onboarding software, organizations can ensure that every device is configured to only authenticate against a RADIUS server that presents the proper server certificate.
Ready to upgrade your network security with the industry’s best Cloud RADIUS solution? Check out our pricing options here.