Due to the COVID-19 pandemic, employees are working from home now more than ever before. According to a Stanford study, an incredible 42 percent of the U.S. labor force now works from home full-time. Unfortunately, cybercriminals have quickly picked up on this and begun to prey on remote workers who haven’t been properly equipped to work remotely in a secure fashion. Suffice to say, this new reality needs to be met with changes that directly address our new work-from-home culture.
The answer to remote validation and authentication of users is to use a Remote Authentication Dial-In User Service, commonly called a RADIUS server or a AAA server.
What is RADIUS Wireless Security?
RADIUS is a networking protocol that eventually became standardized under the IETF; it’s used to secure your Wi-Fi (or VPN, or desktop login, or anything really). Based on the 802.1X standard for port-based network access control, RADIUS handles access requests and allows access to authorized users or devices. In common parlance, RADIUS is a synonym for an authentication server.
Is RADIUS authentication secure?
RADIUS servers improve your authentication security by querying the directory about the authorization status of users that want to connect. But is the communication between the RADIUS and the rest of your identity management system similarly secure?
Whether or not your RADIUS connection is secure depends on the authentication protocol it is using to communicate. RADIUS can authenticate requests using a number of different radius protocols, though the most common ones are:
- EAP-TLS
- PEAP-MSCHAPv2
- EAP-TTLS/PAP
We compare those protocols in depth here, but for the purposes of this article, suffice to say that PEAP-MSCHAPv2 and EAP-TTLS/PAP are not secure. Both have known vulnerabilities that hackers can exploit to gain access to your network and wreak havoc. Granted, any of these WPA2-Enterprise authentication protocols are a step up from WPA2-PSK (the universal password security that you are probably using in your router at home).
EAP-TLS, on the other hand, eschews individual usernames and passwords in favor of X.509 digital certificates. Certificates can’t be shared, stolen, or removed from a device (unlike passwords) so you can be sure that the entity authenticating with the certificate is the one you issued it to. Having high identity assurance is critical for securely managing your network – you need to know all of the who’s, what’s, where’s, why’s, and especially how’s to effectively secure a network. Tying identity to network activity via RADIUS + EAP-TLS certificates is the best way to accomplish that.
How can RADIUS support overall network security?
RADIUS supports overall network security by enabling advanced network access control. During authentication, it checks login credentials against the identity provider to verify that the requesting entity is authorized to access the network. A dynamic Cloud RADIUS like ours can take this opportunity to check the directory entry for any group policy rules and implement role-based access control at the moment of authentication.
A RADIUS server improves network security by adding critical redundancies – a key tenant of Zero Trust Network Architecture (ZTNA). Every time a user wants to access something, be it a shared folder, their email inbox, or the company Wi-Fi, their authorization is verified and reverified. This security paradigm severely limits the damage an intruder can inflict on your network (if they manage to get past the RADIUS in the first place!).
What are the advantages of using RADIUS for wireless authentication?
RADIUS improves your wireless authentication security in 3 ways:
- Use individual login credentials (or X.509 digital certificates) instead of a universal pre-shared key.
- Apply network policies based on a user’s role.
- Generate event logs for authentication requests, allowing admins to effectively monitor network traffic.
- Encrypted tunnel to communicate with the network makes it difficult for bad actors to steal credentials over the air.
Secure Network Access Options with RADIUS Servers
RADIUS Authentication With VPN for Secure Remote Access
Virtual Private Networks (VPN) are designed to protect your online identity by connecting your device to a secure server rather than your typical ISP. The goal is to keep your private information private. VPNs encrypt web traffic so no one is able to see your data, whether it’s a hacker, corporation, or government.
The primary reason organizations implement VPN isn’t actually for the encrypted tunnel or traffic masking that a VPN provides – it’s usually to allow remote devices to be “virtually present” so they can connect to the on-premise network and the resources contained therein. This setup is called a VLAN (Virtual Local Area Network).
In normal circumstances, group policy and user segmentation is handled in the background by the RADIUS. However, depending on the configuration and capabilities of your firewall and access points, this infrastructure may not be operating correctly. Indeed, some VPNs don’t have the ability to reference your user directories at all.
The solution to potential security lapses of VPN is simple – use your RADIUS for VPN authentication.
Yes, you can use your organization’s RADIUS to authenticate remote users. By configuring the VPN to connect to your office access point, the remote device can be “virtually” present and be authorized even by an on-premise RADIUS, though Cloud RADIUS services are easier and more secure.
The benefits of using your RADIUS in conjunction with VPN for remote access are twofold:
- It’s more secure. After the VPN connects to your office access point, the users undergo RADIUS authentication for network and resource access. Doubling up on protection keeps your traffic safe at all stages of the process.
- If your firewall, access point, or VPN doesn’t support user attributes or directory referencing, you can still use your RADIUS to implement security policies.
In fact, using your RADIUS to authenticate your users instead of a VPN is the security best practice no matter the situation. You don’t leave your network security to a third party in normal circumstances – why would you start now? This method ensures that ultimate control is still in your hands.
RADIUS Authentication via X.509 Digital Certificates
We alluded to it earlier, but the best configuration of a RADIUS client is to equip to to authenticate via the EAP-TLS protocol. That enables certificate-based authentication (CBA), which is the recommended security best practice from authorities such as CISA.
A certificate can be configured with lots of contextual information about the entity it’s issued to, such as:
- Name
- Email address
- Organization
- Role
- Permissions
- MAC address
- Expiry date
The sum of these attributes paints a comprehensive picture of that entity’s authorization level. It can also be used to constantly verify what parts of the network they access – an important feature for audits.
Ultimately, EAP-TLS authentication is all about adding identity context to every transaction in your network. What’s more is that this method of AAA authentication vastly improves the user experience and the admin’s management experience by eliminating all of the hassle associated with passwords: remembering them, resetting them, and trying to keep people from sharing them. Certificates authenticate automatically and immediately, can’t be swapped, and don’t need to be remembered. They are revoked automatically on expiration to prevent ghost credentials from creating issues down the line.
How to Enable RADIUS Server Authentication
Given the significant upgrades to security that RADIUS imparts, it’s a natural assumption to think it’s probably a complex project to implement and configure. That’s not necessarily the case, our Cloud RADIUS is a vendor-neutral, plug-and-play solution that can integrate with your existing network infrastructure and start authenticating users in a manner of hours.
Don’t take my word for it, click here to read how one of our customers rapidly deployed Cloud RADIUS authentication without a hitch. Or, if you already know what you want, go ahead and see our pricing here.
