The RADIUS protocol is used by thousands of organizations to protect their networks. Network admins set up RADIUS servers to verify approved network users, drastically reducing the risk of a compromised network. RADIUS can be configured to authenticate access to applications, Wi-Fi, VPN, and much more.
What is NPS?
A Network Policy Server (NPS) is basically Microsoft’s RADIUS server. They can be configured to perform authentication, authorization, and accounting.
NPS works with Active Directory (AD), the most widely used online directory, so when a user requests network access, the NPS is able to check the network’s AD instance for that user’s entry and any attributes attached to them.
Standard Authentication with On-Prem NPS
NPS has historically provided a critical role for a Windows infrastructure. The typical setup is using NPS as a RADIUS server proxy to enable user authentication for services like Wi-Fi, VPN, switches, and other network gear. NPS is a perfect fit for an on-prem AD environment.
To enable 802.1x authentication, you’ll need a RADIUS server and an EAP method. Two of the most common EAP methods used by Windows admins are EAP-TTLS/PAP and PEAP-MSCHAPv2. TTLS/PAP is one of the least secure authentication protocols because it doesn’t encrypt credentials shared in a network connection. It does encrypt the “tunnel” connecting the server and client, but the tunnel is rendered useless if a malicious entity tricks a client into thinking it’s a legitimate server. PEAP is more secure than TTLS/PAP, but still has major security flaws.
The inherent problem with both authentication methods lies with the need for credentials to authenticate users. Both protocols are credential-based authentication protocols and credentials can be easily forgotten or stolen through a man-in-the-middle or brute force attack.
Since the adoption of cloud-based services, on-prem legacy systems are having difficulties keeping up. AD was established before the cloud was introduced, therefore it isn’t designed for the cloud. Network admins will have to spend countless hours and install several add-ons to incorporate the cloud into an on-prem legacy system.
Systems based around AD and NPS were designed for on-premise technology. In order to for networks to migrate cloudward, admins will have to spend hours adding extensions, configuring them to fit their environment. Plus, adding dozens of extensions to perform all the cloud capabilities requires constant configuration, management, and further entrenches networks with outdated legacy systems.
Admins could connect a third-party cloud RADIUS solution and turn their NPS server into a RADIUS proxy, forwarding requests to the cloud RADIUS server. This process requires specific configuration of RADIUS policies to match NPS. These configuration settings include: EAP method, event logs, network adapters for authentication request, and much more. Once configured, users would send their authentication requests to the cloud-based RADIUS and it would be authenticated securely with Microsoft NPS.
The Best RADIUS Authentication with Cloud Directories
Instead of spending way too much time and money trying to incorporate the cloud into an on-prem AD environment, don’t create a bunch of work arounds to make your NPS work. Invest in a turnkey cloud-based RADIUS solution that is designed to work with Cloud Directories, not on-premise solutions.
Cloud RADIUS seriously increases your authentication security because it’s built from the ground up for certificate-based EAP-TLS authentication. Certificates are much more secure than credentials and can serve as user identities for authentication and monitoring network activity.
The Public Key Infrastructure (PKI) is the framework that performs and manages public key encryption, assigning each network user a pair of cryptographic keys, one of which is input into a certificate and distributed to that user’s device. PKIs can be used to secure Wi-Fi, VPN, Email, web application and much more.
Server certificate validation prevents over-the-air credential theft by verifying the RADIUS server possesses the trusted certificate, which confirms that the network is legitimate and will connect the device to the network.
Cloud RADIUS comes with SecureW2’s Managed Cloud PKI, a turnkey PKI solution that can integrate with Azure environments to deploy WPA2-Enterprise with certificate-based 802.1x authentication. Our services eliminate the need for passwords to authenticate users, effectively eliminating over-the-air credential theft and password reset policies as well.
Secure Your Network with Cloud RADIUS
Windows clients don’t need to spend days or even weeks trying to incorporate the cloud with an on-prem NPS. The process is expensive for the organization and is time consuming for admins. Instead, admins can integrate their networks with SecureW2’s Cloud RADIUS and Managed PKI, turnkey solutions that secure user authentication for Wi-Fi, VPN, web apps, and much more, all at an affordable price.
Sam (aka Slammin Salmon, Street Hustler Sam, Samilstilskin) is a copywriter within the marketing team and a man of many nicknames. He has a degree in Marketing from the University of North Texas with previous experience in mortgage marketing and financial services.
Can I Use NPS with Cloud Directories?
October 19, 2020Sam Metzler
We use cookies to provide the best user experience possible on our website. If you would like to learn more click here. Accept
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
