Remote work and hybrid work schemes have changed the way companies need to secure and configure their networks. Digital nomads travel the world and log into the company network to work remotely. Remote workers also split their time between the office and home. This is the new normal! That said, the need to have a secure network is paramount. In this regard, the Remote Authentication Dial-In User Service or RADIUS protocol offers you a more secure network.
RADIUS helps you use your self-managed credentials instead of a single sign-on password shared by many. In this article, you’ll learn about the RADIUS protocol and how it can benefit your company.
First, let’s learn what RADIUS is.
What Is the RADIUS Protocol?
RADIUS is a centralized network protocol that can authenticate users connecting to your network. This protocol primarily aims to check credentials. Then, it either allow or deny access to the network. Before we get into how it works, let’s define its components.
Components of RADIUS
RADIUS consists of 3 main components:
- Client: a lightweight program that asks you for your credentials and then forwards them to the RADIUS server for validation.
- Network Access Server (NAS): a gateway between the user outside and the network.
- RADIUS Server: the server that validates credentials. It can also conduct time tracking and assess connection details.
How Does RADIUS Authentication Work?
The below diagram shows how a user can authenticate with a RADIUS protocol server. Let’s walk through the 6 steps of authentication:
- User attempts to authenticate with a Network Access Server (NAS)
- The NAS requests a username and password from the user
- User adds credentials
- RADIUS client sends the encrypted credentials to the RADIUS server
- RADIUS server provides a response
- Client acts on services associated with accepting or rejecting the scenario
Let’s also take a look at the 2 kinds of authentication models RADIUS uses.
1. Password Authentication Protocol (PAP)
The RADIUS client passes the remote user’s credentials to the authentication server. If correct, the server grants the user access to the network. Conversely, if incorrect, the server denies the user access to the network.
2. Challenge Handshake Authentication Protocol (CHAP)
CHAP is more secure than PAP because it relies on the client and server, which uses an encrypted shared secret. The encryption also gives it a leg up over PAP. Additionally, you can set it up to randomly check the credentials. If something changed mid-session at that random check, the user would be disconnected from the network.
With these models in mind, RADIUS also works with Wi-Fi. Let’s consider that next.
How Does RADIUS Work with Wi-Fi?
The RADIUS protocol can make Wi-Fi more secure by using the same authentication methods to connect to Wi-Fi rather than a network. So, instead of connecting to the Wi-Fi router, the authentication passes to the RADIUS server to validate credentials. In this way, you have a third party doing the authentication to sign into the Wi-Fi. This process will allow you to have various login credentials besides a single password.
RADIUS protocol has many advantages but it also has some drawbacks. Let’s chech them next.
Pros and Cons of RADIUS Authentication
Here are the top 5 pros and cons of using the RADIUS protocol.
|Better security||On-premise set up|
|No password management: users manage their own credentials||Hard to set up if you already use an on-premise tool like an active directory.|
|Central point for authentication||If not set up correctly, can cause security issues|
|Secure VPN authentication||Complicated configuration|
|Uses 802.1X session encryption to protect user sessions||Difficult implementation|
RADIUS protocol has 3 main components that work together to authenticate users using one of two authentication methods; PAP and CHAP. The authentication methods make RADIUS useful in many diverse business structures. They also offer many benefits to improve how you protect your network. Overall, if your business has remote workers, you should consider RADIUS authentication.
If you have further questions, check out the FAQ and Resources sections below.
What is the main advantage of RADIUS?
The main advantage of using the RADIUS protocol to meet your network authentication needs is that each user sets their own password and manages it. This means less work for a network administrator who would have to manage passwords. Also, no people would have to share a single password. In short, this makes it much easier to prevent bad actors from getting your credentials.
Do I need active directory services if I use RADIUS for credential security?
It depends. Users have individual credentials, secure VPN authentication, and a high level of session encryption. The encryption protects the data traveling back and forth in open remote sessions. You also protect the network by not storing details centrally on an active directory server that’s internet-facing, although you can have a backend active directory service.
What OSI level does RADIUS operate on?
The RADIUS protocol operates on layer 7 of the Open Systems Interconnection (OSI) Network model. Level 7 is the application layer. This is the human-computer connection level, where applications can access the network and its services. This means any cyber-threats that disrupt your operating system, kernel, or firmware will impact your RADIUS solution.
Does RADIUS require an active directory on-site server?
You can use one if you move your RADIUS to the cloud. Most times, when companies implement RADIUS, they use the old Active Directory to back-end the credentials database for the RADIUS protocol. You can go serverless with RADIUS, but you’ll need a cloud-based service to replace your server.
Can RADIUS be used with Azure?
Yes, however, Microsoft has a role called Network Policy Server, which can do the job of a RADIUS server and support the authentication tasks. Azure Active Directory allows you to configure multi-factor authentication for a RADIUS-based system.
TechGenix: Article on Azure MFA with RADIUS
Learn how to use Azure MFA with a RADIUS authentication protocol.
Microsoft: Article on RADIUS Authentication Integration with Azure
Discover how to integrate RADIUS authentication into Azure’s multi-factor authentication server.
TechGenix: Article on How Microsoft’s New SMB Authentication Rate Limiter Improves Security
Find out how Microsoft’s SMB authentication rate limiter improves network security.
TechGenix: News on MS Exchange Basic Authentication
Find out when basic authentication on MS Exchange will be turned off.
TechGenix: Article on Common Network Threats
Learn about common network threats and how to protect yourself.