Do you know what facilitated back-office IT functions for any business twenty years ago? It was Active Directory, Microsoft’s user directory system. Because Active Directory simplified the task for organizations to manage their resources from a single console, offices everywhere used AD.
A RADIUS server is an authentication server that can use the information contained in your directory to authenticate and authorize users but does that mean it needs to use AD today?
Why would organizations want to use Active Directory?
Technically, AD is a database of critical information about users, devices, and their environment, coupled with other Microsoft services to help users securely connect with the resources they need. The services are what allow people to access resources while the Active Directory database contains details such as the user’s job profile, phone number, permissions, and passwords.
AD is a game changer in that it centralizes identity, rather than storing them on a per-computer basis. It enables organizations to manage devices from a single location, creating group policies and segmenting the network to maintain secure perimeters.
Where does RADIUS come in?
So, what does a RADIUS server (also known as AAA server) have to do with AD? In short, RADIUS servers are authentication servers that can authenticate users and devices attempting to access your network resources. Your Identity Provider (IDP) can be used to provide critical identity information for authentication and authorization during the authentication process.
Authentication Process
Fig: RADIUS authentication with digital certificates
The user attempts to connect to the network for the first time with a unique credential. The access request is sent to the access point, which is then sent to the RADIUS server. The credential is verified against the information stored in the directory or the RADIUS server itself.
If the match is made, then the server accepts the user by sending an Access-Accept message (along with parameters or restrictions regarding what you can utilize on that network) back to the access point. The user is rejected through an Access-Reject message if the match is not made.
Why is RADIUS needed?
To have all your users connect to your networks, you need RADIUS to maintain a central authentication system. User identities are stored in directories such as Okta, Azure, G-Suite, and AD. RADIUS connects all your users to the company network with their own unique credentials eliminating the use of pre-shared keys. In other words, RADIUS can make it possible for you to leverage the network access control policies you’ve already created in your identity management system and apply them to your Wi-Fi or VPN.
Do RADIUS Servers Need Active Directory?
RADIUS doesn’t specifically need Active Directory, but it does need a directory to reference for authentication and authorization purposes. RADIUS can use AD for that directory, but AD tends to tie organizations to on-prem infrastructure and isn’t the best solution for those looking to move to the cloud.
Can we use AD Without On-Prem Hardware?
AD is on-premise only. It requires a physical server in a physically secured location, which necessarily involves a lot of human resources to set up and manage.
The next question is: can we have AD in the cloud?
Unfortunately, no. Active Directory is a service that’s still reliant on the legacy authentication protocol, LDAP. This ties it to on-premise architecture.
If you’re looking for a way to migrate your identity management infrastructure to the cloud, Microsoft offers an alternative Identity Provider called Azure AD(Microsoft Entra ID). Of course, there are other options, as well, such as Google or Okta.
What locks you to the IDP?
Imagine if your IDP leaves no choice but to choose systems and applications that the IDP has the capability to control. This is what a Microsoft AD does, all they could control was Windows-based devices. As the organizations depended more on Microsoft AD, they were left with no choice but to choose devices and apps that could be controlled by AD. Many organizations want to migrate to the cloud to start implementing certificate-based solutions, but it’s a hard transition if you have Microsoft AD environments.
A well-designed IDP should give back control over the organizations that can manage all major systems (Unix, Linux, Mac, Windows), cloud and on-prem servers (e.g. AWS, GCP, internal data centers), networks (Cloud RADIUS), data through physical and virtual file servers, single sign-on to applications (web and on-prem), and more through one central web platform.
Thus it’s very important to be wise in choosing an IDP that can fully move to the cloud and not get you locked in.
Reasons Why You Don’t Want To Be Locked Into On-Prem
Heterogenous IT environment
20 years ago, when AD was just introduced, the IT environment was Generally on-premise and Windows-based. Microsoft specifically designed AD for the Windows platform and the applications were largely Windows as well.
Today, the IT environment is much more diverse, and while Microsoft continues to be a dominating presence, it is now far from the only one. Now, organizations can choose from a small range of operating systems, including Macs, Linux devices, and even Chromebooks. Any Identity Provider an organization uses needs to be compatible with the devices on the network.
Cloud First
Ever since the pandemic hit the world by storm, organizations are rethinking everything, and cloud services have been witnessing a steep rise. There are cloud-native computing options for everything – servers, databases, networking, and software. Companies are transitioning to the cloud as it provides flexible resources, cost-effective options, and practical, accessible tools. Rather than maintaining on-premise data centers and servers, the Software as a Service (SaaS) model of cloud computing lends itself to a “pay-as-you-use” plan that can scale to fit your needs.
In this increasingly cloud-based world, using traditionally on-premise infrastructure holds you back. Some organizations have attempted to supplement their AD with Azure as a bridge to the cloud, but because Azure doesn’t support LDAP, this requires syncing with an on-premise AD server.
What are the Alternatives to AD?
A cloud replacement is the best for modern challenges. Moving your identity management to the cloud means you don’t have to worry about upgrading hardware every few years, conducting your own software maintenance and patching, higher availability and security, and more. Additionally, cloud solutions embrace the disparate IT setup modern organizations use.
Today, organizations don’t necessarily need AD for a directory because of the rise in SaaS companies offering directory instances in their software. Examples of cloud alternatives to AD include Google, Okta, and Azure AD.
How To Move Beyond Your On-Prem Environment
There are two main reasons organizations choose on-premise infrastructure:
- They want to build their infrastructure themselves with complete control over its construction or
- They simply already have the on-premise infrastructure and don’t see a need to move everything to the cloud just yet.
Moving to the cloud will require some consideration regarding your infrastructure’s architecture. If the organization is cloud-based or shifting to the cloud, then a cloud directory is the best. If, however, the organization is maintaining the on-prem Microsoft model, Active Directory is a logical choice.
But, even if you choose to go on-prem Windows-centric route, it is a good idea to examine what cloud-based infrastructure can do for you. IT admins who work with your on-prem hosted servers, storage and data processing hardware, software, applications and infrastructure will know this. It takes time, expertise and money to maintain and update these resources to keep pace with market demands and growth. When you shift to cloud, you cut IT bill and operating costs and gain the resilience to scale technology as your business demands change. Cloud computing has been lauded as a revolution in IT. When you consider the benefits it can bring, it’s not surprising that so many organisations have been eager to upgrade to the cloud
For an IT environment that uses Microsoft products and services, wanting to transition to cloud, can do it with the help of Azure AD. Both Azure and AD networks authenticate users with PEAP-MSCHAPv2, which contains a significant vulnerability in it’s encryption that can allow a hacker to gain access to user login information in plain text. To increase your network security, you can enable users to authenticate uniquely to the network by setting up a certificate backed authentication. Azure customers who set up certificates with SecureW2 use simple onboarding software for BYODs and gateway APIs for their managed devices. SecureW2 offers an easy-to-use PKI that easily integrates with Azure for use as an IDP.
Modern Passwordless Authentication Designed for Cloud Identities
Cloud based identity providers offer the flexibility organizations need. They’re scalable, don’t rely on legacy protocols like LDAP, and don’t require expensive on-premise infrastructure/security. AD’s on-prem infrastructure has become a hindrance for many organizations trying to migrate to the cloud.
On-prem technology just doesn’t offer the same versatility or security as cloud services, which is why many admins are looking to cloud IDPs. By integrating cloud IDP with SecureW2’s cloud PKI and Cloud RADIUS, organizations can leverage the network access policies they’ve already established in their IDP and apply it to their Wi-Fi and VPN – regardless of location.
However, if your organization needs to use AD, SecureW2’s Cloud RADIUS can still provide premier passwordless authentication in tandem with digital certificates leveraging your Active Directory. Check out our pricing page to see if our solutions can help secure your network.
