Using network access policies to segment users into VLANs with appropriate permissions is a core part of every organization’s identity and access management (IAM) strategy. More options to customize access policies and group policy objects (GPO) allows admins to tailor their security to their organization, removing the inevitable gaps of a “one size fits all” solution.
SecureW2’s Cloud RADIUS has the ability to dynamically assign network access policies at the moment of authentication using any number of customizable attributes – including SSID.
Why Use SSID for Authentication?
A Service Set Identifier (SSID), commonly recognized as the name of a Wi-Fi network, can be configured on each access point separately or be assigned to a group of access points via a controller.
For organizations that have some physical separation between groups of users, such as in-office teams and remote workers, using SSID to distinguish between the groups can be an effective addition to network access policies. RADIUS servers like SecureW2’s Cloud RADIUS can determine precisely which access point is transmitting the authentication request and whether or not the client should be using that AP (or using the network at all).
Here’s a scenario in which using SSID for authentication can protect you from remote attacks:
Company X has multiple offices, including a headquarters building in NYC. Their HR team is based in NYC, so they implement SSID check as an additional factor of authentication for accessing payroll software. When a hacker attempts to use their St. Louis office as a vector for attack, they are unable to authenticate to the payroll software since the RADIUS knows they are using the wrong SSID.
Using SSID as an authentication attribute obviously doesn’t offer a high degree of identity assurance, but it’s meant to supplement your network access policies – not replace them. It’s an easy way to perform an additional check, since your RADIUS already receives the prerequisite data in standard authentication requests.
Use SSID Authentication for MFA
The industry is rapidly adopting multi-factor authentication (MFA) as a protection against phishing, over-the-air attacks, and other forms of credential theft. The strength of MFA is dependent on how many factors are being used – two-factor authentication (2FA) is inferior to three-factor authentication (which is usually just called MFA).
And since 3 factors are better than 2, it follows that 4 are even better than 3! Perhaps the best reason to use SSID as an attribute for 802.1X network access is because it’s a rare opportunity to implement the elusive fourth pillar of authentication.
Multi-factor authentication, by definition, requires you to use at least 2 of the 3 commonly accepted “pillars of authentication”:
- “Something you know” – This typically refers to (memorized) passwords, but there are other forms of credential that can fulfill this factor. One-time-passwords, PINs, and the key pairs used in public-key cryptography (certificate-based authentication) are also “known”, but it might be a computer remembering it for you.
- “Something you have” – It might feel unusual to need a physical key for your computer in the same way you need one for your front door, but physical authentication security is an extremely effective defense against network-based attacks (which comprise the vast majority of hacks). Hardware security keys like the YubiKey are commonly deployed to fulfill this factor, alongside a certificate management solution like SecureW2’s YubiKey CMS.
- “Something you are” – Eyeball and DNA scanners are still mostly sci-fi, but fingerprint scanners are present on most flagship smartphones and a bevy of common computer models. Biometric data is rarely used as the only authentication factor (your phone requires you to re-enter your PIN after every restart, for example), but it’s difficult to fake and makes a great additional line of defense.
There are other theoretically possible factors of authentication, but few of them are feasible for use at scale. One of the exceptions is location-based authentication, or “somewhere you are.”
Like biometric authentication, it’s probably unwise to use location-based authentication as the only factor protecting your network. It’s easy to imagine a person hiding in the bushes outside an office, just inside the range of a critical access point.
At the same time, it’s just as easy to imagine location-based protection thwarting 99.99% of breaches since almost all hacks are perpetrated remotely via the internet.
Dynamic 802.1X Authentication Options
SecureW2’s innovative Cloud RADIUS is powered by our proprietary Dynamic Policy Engine, a tool that vastly increases the security and customizability of WPA2-Enterprise authentication. It enables you to configure and assign any number of customizable attributes to a client’s profile, which the RADIUS can check at the moment of authentication for on-the-fly role-based access control.
Any changes made to the directory propagate immediately, eliminating any gap in CRL coverage for certificate-based authentication. This functionality also permits the RADIUS to perform user-lookup, a well-loved feature from AD.
Our industry-leading RADIUS is supported by our Managed Cloud PKI, a turnkey PKI solution that integrates with your existing network infrastructure to reduce deployment time and expense. Admins love our intuitive, single-pane management interface that makes it a breeze to view and manage every aspect of your organization from one place.
We have affordable options for organizations of every size. Click here to see our pricing.
