Can I Do RADIUS VLAN Without LDAP?
While both LDAP and RADIUS are protocols that enable users to access their organization’s resources, LDAP relies exclusively on unsecure credentials. The usability and security flaws of credentials are well-known, and many organizations are dissatisfied with credentials as authentication protection for their network. Not to mention with 10 million attacks targeting usernames and passwords occur every day it’s not a bad idea to drop passwords wherever possible.
Organizations who want to use VLAN may want to use RADIUS authentication instead of LDAP but aren’t sure if it’s possible. Luckily, we are here to tell you, yes, you can use RADIUS for VLAN instead of LDAP.
What is VLAN?
A VLAN, or Virtual Local Area Network, is a method of configuring your network to emulate a LAN with all of the management and security benefits it provides.
Using VLAN to organize users into groups of varying levels of permissions is a vital part of maintaining network security. For example, the Open/Guest network is usually put in a different VLAN than the secure network. This helps to make sure that devices and network resources that are on one VLAN aren’t affected if other networks are compromised on a seperate VLAN.
Can I Use VLAN with RADIUS?
Yes! Using a RADIUS allows for the usage of digital certificates, which make VLAN assignment a snap because attributes can be encoded into the certificate that the RADIUS uses to authenticate. You could set up a policy so that anyone with the email domain “it.company.com” would be automatically assigned a different VLAN segment than “sales.company.com”.
If the RADIUS server authorizes a user as a result of an authentication, it sends an accept packet that can contain certain attributes that provide the switch with information on how to connect the device on the network.
Common attributes will specify which VLAN to assign a user to, or possibly a set of ACLs (Access Control Lists) the user should be given once connected. This is commonly called ‘User Based Policy Assignment’ as the RADIUS server is making the decision based on user credentials. Common use cases would be to push guest users to a ‘Guest VLAN’ and employees to an ‘Employee VLAN’.
How To Configure Radius VLAN Authentication Without LDAP
VLAN only properly works if you can accurately assign VLANs to each of your users. That’s easy to do manually with a handful of users, but enterprises with thousands of users need an automated solution.
Onboarding is our specialty here at SecureW2. That’s why we have the #1 rated onboarding app in every app store. Our device onboarding solution allows you to push configuration packages to managed and BYOD devices to start a guided self-enrollment process that allows the end-user to use their existing credentials to enroll themselves and their device. From there, it’s easy to assign VLAN attributes.
Now is a particularly good time to choose SecureW2 for VLAN because we just released the next step in RADIUS technology – dynamic policy enforcement in real time. Our Cloud RADIUS server can make runtime-level policy decisions based on attributes stored on digital certificates or in the user directory (even cloud directories like Okta, Azure, and Google). This technology actually enables VLAN steering earlier in the authentication process, potentially preventing more advanced methods of unwanted entry to the network.
Want to learn more about our Dynamic RADIUS and how to protect your network with VLAN steering? Check out our pricing to see if SecureW2 is right for you.