radius policy certificate

Dynamic RADIUS Policy Enforcement with Static Certificates

Patrick Grubbs Tech Trends

Dynamic RADIUS Policy Enforcement with Static Certificates

Certificate-based WPA2-Enterprise networks are extremely secure, but x.509 digital certificates can be a hassle to manage. Although SecureW2 has one of the best certificate management platforms in the industry, we’re always looking for ways to make EAP-TLS authentication safer and easier.

Our newest solution is the all-new Dynamic Policy Engine that powers our upgraded Dynamic Cloud RADIUS server. It adds redundant security layers to the already-ironclad EAP-TLS authentication protocol and introduces innovative features not found in any other Cloud RADIUS product on the market today.

Cloud RADIUS Directory-Based Authentication

Standard certificate-based 802.1x authentication takes some shortcuts because of the inherently secure nature of the public-private key pair stored in the certificate. If an unexpired certificate (that was signed by a certificate authority that’s in the trust store of the RADIUS) is presented to the RADIUS, the RADIUS just checks the Certificate Revocation List (CRL) to make sure it wasn’t manually revoked in the last day or two.

The CRL check is the only check needed for certificate-based EAP-TLS authentication and, in most scenarios, it’s fully sufficient. However, it does rely on the IT team promptly and accurately revoking certificates whenever a user’s permissions change (such as in the case of a promotion or a person leaving the company).

Unfortunately, people are fallible and it’s not uncommon for certificates to be lost in the shuffle of certificate management. One user can have multiple certificates, sometimes 10 or more, and it’s easy to forget to revoke one – leaving a vulnerability in your network.

User Lookup without LDAP

So, taking a leaf out of the LDAP book, we developed a feature that allows your cloud RADIUS to perform user lookup on cloud directories. Our Dynamic Cloud RADIUS is the only cloud RADIUS that can directly reference cloud identity providers like Google, Azure, and Okta.

We use this function in several ways, but the first is to reinforce your RADIUS’s authentication security by making a second check to the directory after the CRL is referenced. This provides positive confirmation that the user is authorized in addition to the confirmation that their certificate has not been recently revoked.

The user lookup feature also affords us another benefit. Since the CRL isn’t the only thing between your network and an intruder, you can reduce the update interval to conserve network resources without assuming more risk. The directory check is performed via a lightweight API, so authentication times become faster, not slower.

Dynamic User Attributes Instead of Static Certificate Attributes

Perhaps the most important advancement our Dynamic Cloud RADIUS has made is the ability to perform runtime-level policy decisions based on dynamic user attributes. This represents a significant departure from the standard paradigm of certificate-based RADIUS authentication, so it’s worth explaining.

Normally, the RADIUS authorizes a user to access certain resources or networks depending on the key pairs stored on their certificate. A single certificate may be used to authorize a user for multiple networks, services, apps, or resources.

Once issued, however, an x.509 certificate is typically static. You can’t change it or edit the permissions. If a user’s access level needs to change, you have to revoke the certificate(s), create new ones, sign them with a CA, and safely distribute them to the correct user or device.

Do you know what’s not static? A user’s entry in the directory. In fact, that’s usually pretty easy to edit – HR teams usually have access to the roster, not just IT. It’s much easier to enforce group policy and user segmentation by editing a user attribute than it is to go through the whole certificate management cycle.

Runtime-Level Policy Enforcement with RADIUS

SecureW2’s Dynamic Cloud RADIUS is a milestone in AAA technology. It enhances security, usability, and functionality with no loss in protection. It enables you to use the superior certificate-based 802.1x authentication but reduces your reliance on tedious certificate management.

Best of all, we have affordable solutions for organizations of every kind. Check out our pricing page to learn more.


Learn About This Author

Patrick Grubbs

Patrick is the SEO guy at SecureW2, but he enjoys writing a little too much to give it up entirely. He got his start blogging about his ever-expanding collection of succulents and cacti. His hobbies include running, gardening, playing video games, and buying tools he will never use. Special skills: 5th grade chess champion, ultra-specific color identification, clapping with one hand