SecureW2 is pleased to announce the invention of a whole new kind of AAA server – Dynamic (Cloud) RADIUS. It will revolutionize the way you authenticate users and enforce policies to create a WPA2-Enterprise network that is more efficient and more secure than ever before.
At its core, the SecureW2 Dynamic RADIUS is the same as a standard RADIUS with some extra features. It can be deployed in a cloud environment and integrated into your existing PKI infrastructure or as part of a managed cloud PKI serviced by SecureW2.
Once configured, your SecureW2 RADIUS will be able to perform enhanced, certificate-based authentication, which includes shared hosted RADIUS capability, runtime-level policy enforcement, and reinforced security.
What Identity Providers/Directories does Dynamic RADIUS support?
Dynamic RADIUS enables directory checks via a lightweight API designed to reduce request size and optimize authentication speed. It’s compatible with the following cloud directories:
- Azure AD
- Okta
- G Suite / Google
How does Dynamic RADIUS work?
Dynamic RADIUS operates in fundamentally the same way as regular RADIUS, but it has one extra step that makes a world of difference – it asks the directory if a user is active or not.
This functionality is similar to the user lookup feature sometimes employed by networks with LDAP-AD infrastructure. It allows the RADIUS server to reference an entity’s directory entry, both to confirm that the entity is authorized for access, and to read any other user information there.
During typical certificate-based RADIUS authentication, the RADIUS server references the CRL if it is provided with a valid certificate signed by a CA that’s also in the RADIUS’ root store. The RADIUS can only decide to authenticate based on the information stored in the certificate, which tends to be very little beyond the name, dates, and keys.
X.509 digital certificates are usually static – they can not be edited. Any changes in user permissions have to be enforced by revoking and reissuing certificates, a process that quickly becomes burdensome as a single user can have many certificates.
Instead of certificates storing the information necessary for policy enforcement, that data can be stored in the directory. Dynamic RADIUS can then check the directory and make policy decisions regarding user privileges, a method that is more secure and easier to manage.
What are the benefits of Dynamic RADIUS?
The advantages of Dynamic RADIUS can be summed up in a few key points:
- Eliminate the need for certificate management.
When a user’s permissions change significantly, such as when they make a lateral transfer or leave the organization, IT needs to both adjust their directory entry and revoke/reissue certificates. Most users will have multiple certificates and each needs to be manually revoked – and it’s not uncommon to overlook one or two.
Our Dynamic RADIUS server relies on the easier-to-manage directory to confirm whether or not a request is valid. It doesn’t matter if all of the certificates were correctly revoked or not, the RADIUS can reject requests based on user status, reducing the reliance on certificate management.
- Introduces Security Redundancies.
In security, redundancy is strength. Dynamic RADIUS adds redundancy to the user validation process without adding a significant burden in the form of network requests.
This redundancy is particularly useful because it covers an inherent vulnerability in CRLs – their update interval. Usually a cached copy of the CRL is stored in the RADIUS and updated every day or two. That’s a window for bad actors to trick a RADIUS into using a recently revoked certificate that still appears valid. While this problem could be addressed by simply shortening the CRL update interval, most organizations find that solution too costly.
- Runtime-level policy enforcement by the RADIUS.
As previously mentioned, Dynamic RADIUS allows the RADIUS to segment users and restrict/allow resources based on information stored in their directory entry. Since enforcement occurs at runtime, changes made to a user’s permissions are propagated throughout the system immediately rather than a day or two later, as is typical with most RADIUS servers.
- Sharing a RADIUS server between insulated networks.
It’s now possible to use a single RADIUS server to securely authenticate requests from multiple discrete networks while still maintaining resource isolation. While groundbreaking in its own right, Shared Hosted RADIUS has specific applications. It’s primary usage would be to replace scenarios in which multiple RADIUS servers are required within a single organization, or for Managed Service Providers to resell to their own customers as a white-labeled RADIUS.
Who is Dynamic RADIUS for?
Of course, the security benefits and quality-of-life improvements provided by Dynamic RADIUS would be useful to any organization that uses an 802.1x network, but there are a couple of key players that benefit the most from these advancements in RADIUS technology.
Enterprise-level organizations should find Dynamic RADIUS particularly appealing. It solves several key pain points for them. First, it compensates for the inevitable human mistakes that come from trying to manage thousands of certificates. The redundancy of the directory check ensures that any certificate that slips through the cracks is unable to compromise the network.
Secondly, Dynamic RADIUS reinforces the inherent security vulnerability of a longer CRL update interval by providing a redundant validation that occurs in every authentication request. Importantly, it uses few resources so it’s a less expensive option than constantly updating the CRL.
Managed Service Providers (MSP) will be elated at the announcement of Dynamic RADIUS since it introduces Shared Hosted RADIUS capabilities. MSPs can rarely offer their customers cloud RADIUS options because it’s simply too cost-prohibitive to set up the infrastructure for the small companies that MSPs typically service.
With the ability to use a single RADIUS server for multiple clients, all while keeping the client networks and resources totally isolated, MSPs can finally offer a scalable, full-featured RADIUS as part of their network security package.
More Efficient RADIUS
Dynamic RADIUS is poised to change the way that certificate-based WPA2-Enterprise networks are run. It shores up existing weaknesses with layers of security protocols and vastly improves the ease with which users and certificates can be managed.
SecureW2 has affordable options for organizations of all sizes. Click here to see our pricing.
