The Best RADIUS Solution For AWS

Amazon Web Services (AWS) is Amazon’s ubiquitous cloud platform. It provides many different services including servers, storage, networking, remote computing, email, mobile development, and security. AWS is so large and present in the computing world that it has far outpaced its competitors. As of February 2020, one independent analyst reports AWS has over a third of the market at 32.4%.

Jeff Bezos is quoted comparing AWS to power utilities: “You go back in time a hundred years, if you wanted to have electricity, you had to build your own little electric power plant, and a lot of factories did this.” Essentially, AWS provides consumers with the ability to pay for the amount of computer infrastructure on an as-needed basis. 

This new change in mindset allows organizations to worry less about costly on-prem infrastructure and computing power and instead focus on their businesses growth. It’s a simple, cost-effective, and efficient solution to an expensive problem.

While AWS comes with a host of different applications, it’s not a one-stop security shop for your network. Your incoming and outgoing connections to the AWS cloud need to be secured, ideally with a robust authentication solution, such as 802.1X RADIUS security.

In this article, we’re going to explore how to best control and manage AWS authentication through Cloud RADIUS solutions.

Can I Use AWS with Microsoft NPS?

Microsoft’s Network Policy Server (NPS) is a DIY AAA RADIUS server that can be configured for a number of different types of network connections. It can be used for wireless authentication, VPN connections, dial-up, and more.

But as organizations continue to move to cloud-based operations, NPS has become a less favored solution. NPS, and the requisite Active Directory (AD), were built a couple decades ago before cloud computing was feasible. They have not been updated to be compatible with modern cloud architecture, so finding the right add-on solution to enable cloud-based authentication is the only way to make them compatible. 

In order to operate NPS in the cloud, you need to combine Windows NPS as a RADIUS proxy with a cloud-based RADIUS solution. A user would send their authentication request to the cloud RADIUS, and in turn, it would be forwarded to NPS for final authentication. 

This process requires specific configuration of RADIUS policies to match NPS. Settings such as the EAP method, which Event Logs to record, the network adapters that authentication requests would traffic, and more. It’s less efficient than a direct RADIUS authentication scheme, but some organizations that find themselves unable to leave on-premises networks behind will require such a config to enable AWS RADIUS authentication with their on-prem infrastructure.

While this solution leaves a lot to be desired, here is a link to a complete guide if you are still interested. 

Building an AWS RADIUS Server with FreeRADIUS

FreeRADIUS is one of the most widely used open-source RADIUS servers available. The benefits of FreeRADIUS can be summarized in 4 points:

  1. It’s the most popular RADIUS server in the world for a reason: It’s a no-frills, straightforward, and highly functional RADIUS platform.
  2. It’s open source and free.
  3. It’s multithreaded, so it can process more than one transaction at a time.
  4. There are no license expenses, meaning that it costs the same to authenticate one device as it does hundreds.

That being said, since it’s free and open source, deploying (and then maintaining) FreeRADIUS is dependent on the skill and experience of your IT team. Configuring 802.1X and the necessary infrastructure is daunting for admins with no RADIUS experience, so FreeRADIUS does offer paid support options.

Here is a guide for integrating FreeRADIUS with MFA to AWS. But that looks pretty complicated, what are the options for admins that just want 802.1X authentication for AWS without all the hassle?

Configuring Cloud RADIUS with AWS

SecureW2’s Cloud RADIUS is, like most cloud-based solutions, already hosted in AWS. Fortunately, this makes it easy to integrate with most of our customers’ network infrastructure.

AWS RADIUS Server Setup

To be clear, there’s not typically a need to configure a RADIUS server within the AWS portal. Rather, admins can tie their existing cloud RADIUS solution to AWS to leverage their cloud identities for use in MFA.

AWS Directory Service provides a native RADIUS client that is able to connect to your RADIUS server. From there, you have the option to do RADIUS-side MFA or configure Amazon’s own native MFA (which is located in the IAM Identity Center).

Note, however, that the native MFA is only suitable for deploying 2FA for user isng-ins to the AWS user portal. If you want to implement MFA for other connection requests, which is likely, you should deploy a Cloud RADIUS with its own AWS MFA compatible solution, such as SecureW2’s Cloud RADIUS.

Cloud RADIUS Built for AWS

SecureW2’s Cloud RADIUS is the most advanced RADIUS solution to date. We eschew antiquated credential-based authentication for the inarguably superior protection and user experience of passwordless digital certificate authentication.

Our team has designed Cloud RADIUS to seamlessly integrate with any network infrastructure while also providing an easy-to-use certificate onboarding service. If you want a set and forget RADIUS solution while still maintaining bulletproof security, Cloud RADIUS is for you.

With our Dynamic Policy Engine, everytime a user is authenticated for network access, admins can enforce network policies in real time. Cloud RADIUS automatically checks user status, what groups they’re in, if they’ve changed departments, and ties them to custom network policies created by administrators in our easy to use management system. You gain all the benefits of LDAP’s identity lookup capabilities with none of the risks associated with of obsolete, on-premise credential-based authentication.

With SecureW2, you can have a secure network set up in a matter of hours that easily integrates with your AWS infrastructure. Check out our pricing page to see if our solutions can help secure your network.

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Related Posts