Securing VPN Authentication with RADIUS & MFA

Due to the Covid-19 pandemic, organizations all over the world have closed their offices and sent their employees home to work remotely.

The mass exodus from the office to remote working has caused a rise in VPN use; influencing the change from a niche tool to a household name. Before Covid-19, VPNs were mainly used for encrypting your web traffic, keeping it away from prying eyes like ISPs and advertisers.

Now with the pandemic in full swing, VPNs are being used to securely connect remote workers to on-premises networks and resources contained within those networks.

While this makes it easy for workers to continue working as if nothing’s changed, the security of VPNs leaves something to be desired. With social engineering attacks like phishing capitalizing on the pandemic, network admins need to ensure their VPNs are protected.

Securing VPN with RADIUS

There’s actually a pretty simple solution to stronger VPN security: configuring your RADIUS for VPN authentication.

Organizations can leverage their RADIUS server to authenticate users for VPN access. Unlike some VPNs, RADIUS can access an organization’s online directory and determine which users are allowed network access and that feature can extend to VPN.

Authenticating users with a RADIUS server is the security best practice because organizations don’t have to use a shared password for the entire staff, instead having users create unique credentials for themselves. This drastically reduces the risk of a compromised network because people don’t tend to share their passwords with others.

However, credentials have become a common target of malicious actors through social engineering attacks like phishing attempts, which have seen a dramatic increase during the pandemic. Now the problem is network users getting tricked into giving away their passwords through a phony email and compromising a VPN.

Setting Up MFA for VPN

Using Multi-Factor Authentication for VPN access will result in a more secure and rapid authentication process and make it easier for users to transition from the office to their home.

MFA is great for stopping cyber attacks because it requires two or more authentication factors, with those factors being:

• Something you know (such as credentials)
• Something you are (such as biometrics)
• Something you have (such as App/SMS/digital certificate)

The extra authentication factor means MFA is over 90% effective against cyber attacks, including phishing attempts and automated bot attacks. MFA effectively keeps your VPN out of reach of potential attackers, even if they get a hold of approved credentials.

Using Certificates for MFA

For the best security possible, it is best to avoid using credentials as a factor for MFA. Credentials don’t provide accurate identification. A recent survey shows that 69% of respondents admit to sharing their passwords.

Digital certificates have proven to be more effective for authentication purposes because they eliminate over-the-air credential theft entirely. An organization can create and administer approved certificates to every network device and use them to authenticate users rather than credentials.

Many admins are hesitant because provisioning a certificate to every network entity doesn’t seem like an easy task, but that’s where Cloud RADIUS comes in.

Secure VPN Authentication with Cloud RADIUS and MFA

The standard use case for a RADIUS server is to authenticate and securely connect users to Wi-Fi, but that feature can extend to VPN access for businesses needing to connect remote workers to the office network. While RADIUS is a strong security measure, a network’s security can be upgraded by integrating SecureW2’s Cloud RADIUS.

Configuring Cloud RADIUS is a security best practice because it’s one of the most advanced RADIUS servers on the market. Cloud RADIUS is built on certificate-based EAP-TLS authentication, the most secure authentication protocol around. Users are administered unique certificates to their devices and authenticated with those certificates rather than credentials. The weakest point of network security is usually the end user, so supplying them a certificate to handle automatic authentication rather than having them create and input several passwords provides better overall security.

If you’re wondering how to get a certificate onto every network device, don’t fret. Cloud RADIUS is coupled with SecureW2’s Managed PKI, a turnkey service which simplifies the certificate enrollment process. Not only can admins set up the PKI in any environment within an hour, but admins can set up automatic certificate enrollment for all network devices with ease.

Admins can map user attributes and access levels to certificates. Once users are enrolled for a certificate, Cloud RADIUS can use the certificate to verify the user and their permissions. Admins can create security groups to segment users based on their network resource access levels, controlling who has VPN access.

Enable Cloud RADIUS for Secure VPN Authentication

Cloud RADIUS can be configured with your network to implement secure certificate-based authentication, combined with MFA, to securely connect remote users to VPN. VPN is critical for organizations to keep their enterprises going during a pandemic. Cloud RADIUS works with any vendor and comes at an affordable price for organizations of all sizes.