The RADIUS protocol is used by thousands of organizations to protect their networks. Network admins set up RADIUS servers to verify approved network users, drastically reducing the risk of a compromised network. RADIUS can be configured to authenticate access to applications, Wi-Fi, VPN, and much more.
What is NPS?
A Network Policy Server (NPS) is basically Microsoft’s RADIUS server. They can be configured to perform authentication, authorization, and accounting.
NPS works with Active Directory (AD), the most widely used online directory, so when a user requests network access, the NPS is able to check the network’s AD instance for that user’s entry and any attributes attached to them.
Standard Authentication with On-Prem NPS
NPS has historically provided a critical role for a Windows infrastructure. The typical setup is using NPS as a RADIUS server proxy to enable user authentication for services like Wi-Fi, VPN, switches, and other network gear. NPS is a perfect fit for an on-prem AD environment.
To enable 802.1x authentication, you’ll need a RADIUS server and an EAP method. Two of the most common EAP methods used by Windows admins are EAP-TTLS/PAP and PEAP-MSCHAPv2. TTLS/PAP is one of the least secure authentication protocols because it doesn’t encrypt credentials shared in a network connection. It does encrypt the “tunnel” connecting the server and client, but the tunnel is rendered useless if a malicious entity tricks a client into thinking it’s a legitimate server. PEAP is more secure than TTLS/PAP, but still has major security flaws.
The inherent problem with both authentication methods lies with the need for credentials to authenticate users. Both protocols are credential-based authentication protocols and credentials can be easily forgotten or stolen through a man-in-the-middle or brute force attack.
Since the adoption of cloud-based services, on-prem legacy systems are having difficulties keeping up. AD was established before the cloud was introduced, therefore it isn’t designed for the cloud. Network admins will have to spend countless hours and install several add-ons to incorporate the cloud into an on-prem legacy system.
It’s become apparent that on-prem legacy systems that use credential-based authentication protocols don’t fit in today’s cloud environment.
Does NPS Work in the Cloud?
Systems based around AD and NPS were designed for on-premise technology. In order to for networks to migrate cloudward, admins will have to spend hours adding extensions, configuring them to fit their environment. Plus, adding dozens of extensions to perform all the cloud capabilities requires constant configuration, management, and further entrenches networks with outdated legacy systems.
Admins could connect a third-party cloud RADIUS solution and turn their NPS server into a RADIUS proxy, forwarding requests to the cloud RADIUS server. This process requires specific configuration of RADIUS policies to match NPS. These configuration settings include: EAP method, event logs, network adapters for authentication request, and much more. Once configured, users would send their authentication requests to the cloud-based RADIUS and it would be authenticated securely with Microsoft NPS.
The Best RADIUS Authentication with Cloud Directories
Instead of spending way too much time and money trying to incorporate the cloud into an on-prem AD environment, don’t create a bunch of work arounds to make your NPS work. Invest in a turnkey cloud-based RADIUS solution that is designed to work with Cloud Directories, not on-premise solutions.
Cloud RADIUS seriously increases your authentication security because it’s built from the ground up for certificate-based EAP-TLS authentication. Certificates are much more secure than credentials and can serve as user identities for authentication and monitoring network activity.
The Public Key Infrastructure (PKI) is the framework that performs and manages public key encryption, assigning each network user a pair of cryptographic keys, one of which is input into a certificate and distributed to that user’s device. PKIs can be used to secure Wi-Fi, VPN, Email, web application and much more.
Server certificate validation prevents over-the-air credential theft by verifying the RADIUS server possesses the trusted certificate, which confirms that the network is legitimate and will connect the device to the network.
Cloud RADIUS comes with SecureW2’s Managed Cloud PKI, a turnkey PKI solution that can integrate with Azure environments to deploy WPA2-Enterprise with certificate-based 802.1x authentication. Our services eliminate the need for passwords to authenticate users, effectively eliminating over-the-air credential theft and password reset policies as well.
Secure Your Network with Cloud RADIUS
Windows clients don’t need to spend days or even weeks trying to incorporate the cloud with an on-prem NPS. The process is expensive for the organization and is time consuming for admins. Instead, admins can integrate their networks with SecureW2’s Cloud RADIUS and Managed PKI, turnkey solutions that secure user authentication for Wi-Fi, VPN, web apps, and much more, all at an affordable price.