RADIUS security is composed of three components: authentication, authorization, and accounting. These three links in the RADIUS security chain are often referred to by their acronym, “AAA”.
RADIUS security is composed of three components: authentication, authorization, and accounting. These three links in the RADIUS security chain are often referred to by their acronym, “AAA”. Read more
RADIUS security is composed of three components: authentication, authorization, and accounting. These three links in the RADIUS security chain are often referred to by their acronym, “AAA”. The first of these, authentication, is the process that determines whether a client (a person, a device, or a software process) is a legitimate user of the system.
Authorization is the process that determines what an authenticated client (a person, a device, or a software process) is allowed to do on the network.
Finally, accounting is the process of monitoring and recording a client’s use of the network.
Each link in the RADIUS security chain is unique in its function and implementation, and all three are necessary to obtain the maximum protection benefits that RADIUS can provide. Let’s take a look at the first link in the security chain: the authentication process.
Authentication is the process that determines whether a client (a user, a device, or a software process) really are who they say they are. Authentication usually involves some form of identification and a piece of secret information, such as a password.
RADIUS Authentication Play-By-Play
To the end user, supplying a user name and a password to log in to a network seems simple and straightforward. What goes on behind the scenes is actually fairly complex, involving multiple messages flying back and forth between the client and the RADIUS server.
Several elements are considered when the RADIUS server evaluates a request for access:
- Principal: This is the identity of the client requesting access. The client can be a person (user), a device, or combination of user and device. It could also be a software process that requires access to particular network resources to operate. In the case of a person seeking access, the principal is usually a user name; for a device, it is a parameter that uniquely identifies that device on the network.
- Credential: This is a piece of information that proves the identity of the principal. It can be a “permanent” password, a one-time password (such as a string of numbers generated on a keyfob), a digital certificate, biometric credential (such as a fingerprint or an iris scan), or some combination.
- Context: Other checks that the RADIUS server may perform when making an access decision fall under the umbrella of “” The client might enter the correct user name and password, but if their IP address is not in the right range or if there are too many people on the network, the RADIUS server might still reject their access request. There are numerous other context checks the RADIUS server might perform, including whether the client’s device has the appropriate security software and operating system updates.
The exact sequence of events in an authentication cycle varies according to the credential and context checks each RADIUS server performs, but it generally includes the following:
- The client sends a request packet, which includes the principal (user name), encrypted password or other credential, and other network-related information.
- The RADIUS authentication server checks a database for the existence of the principal identity. If the identity is found, the server then checks the submitted password against the password associated with that identity in the database. If the password is correct and any contextual checks are satisfied, then the client is considered “” The RADIUS server returns an “accept” message to the client, and the connection is established.
If any of the checks fail—if the user name doesn’t exist, or the password is incorrect, and so on—the RADIUS server returns a “reject” message to the client. Depending on the security rules defined on the server, the client may have the opportunity to try again a certain number of times, after which the account is locked, either permanently (until an administrator unlocks it) or for a certain amount of time.
Implementing RADIUS Authentication
RADIUS authentication involves a large number of variables and options, many of which depend on the needs of an organization. Implementing it correctly so that no security holes are left open requires specialized expertise. Even businesses that do have in-house RADIUS experience will bring in the experts at Network RADIUS – they have both the knowledge and the experience to do set up your RADIUS authentication process correctly.
By taking a holistic approach to network security, you ensure that all of the parts of your system work together. Your business depends on the security of its network and computing resources; don’t leave your business security to chance.
In the next article in our series about RADIUS security, we’ll examine the process of authorization and how RADIUS determines who can access what on the server. Stay tuned!
WiFi Security with RADIUS: Easier Than You Think
When setting up a WiFi network at home, you typically set up an SSID and password, accept the defaults for any other options, and be done with it. (In some cases, these are done for you by your service provider — you don’t even have to think.) You share the password with family and visitors, and everyone is happy.
Business WiFi is a bit different. If you set up a WiFi network for your business with a single password for all staff and visitors, that password eventually leaks out, and people (former employees, suppliers, and snoops of all kinds) can log on to your WiFi network any time. The situation is especially bad if the WiFi network gives users access to sensitive information, such as financials, intellectual property, and customer records. You could change the WiFi password occasionally, but then you have to give it to all the staff so they can log in again, and the problem starts all over.
There’s a better way: WiFi authentication with RADIUS.
Advantages of RADIUS WiFi Authentication
Before delving into what RADIUS is and how it works, let’s take a look at what it buys you:
- Individualized authentication. Each user (or device) is assigned unique credentials for accessing the WiFi network. No more password sharing, as each user manages his or her own credentials.
- Sync with LDAP/Active Directory. The system can be set up so that the users’ network directory passwords are used to authenticate on the WiFi network, enabling single sign-on for users.
- Wide range of implementation options. RADIUS can be implemented as a dedicated on-premise server, using purchased RADIUS server software or a free/open-source option such as FreeRADIUS. Many network devices and server operating systems have RADIUS built-in, so no extra software or hardware purchase is needed. There are also cloud-based RADIUS services available, which can free you from the system setup and maintenance tasks altogether. This is very attractive to smaller organizations with limited (or nonexistent) IT staff and budget.
RADIUS WiFi 101
RADIUS, in case you’re wondering, stands for “remote authentication dial-in user service.” It’s an authentication system that has been used to secure networks for many years (hence the “dial-in” in the name). A wireless RADIUS server uses a protocol called 802.1X, which governs the sequence of authentication-related messages that go between the user’s device, the wireless access point (AP), and the RADIUS server.
When a user wants to connect to a WiFi network with RADIUS authentication, the device establishes communication with the AP, and requests access to the network. The AP passes the request to the RADIUS server, which returns a credential request back to the user via the AP. The user provides the proper user name and password, which the RADIUS server checks against the authentication directory. If the credentials are correct, the RADIUS server informs the AP to allow the user access to the network.
Implementing Wireless RADIUS
As mentioned above, implementing a wireless RADIUS server can be simple or complex, and the implementation path you choose depends largely on the size of your organization (that is, the number of users and devices you need to support), your budget, and the expertise of your IT staff. An on-premise solution involves a good bit of setup, but might be more cost-effective than a hosted solution if you have a large number of users. If you decide on an on-premise solution, but lack the resources to pull it off, Network RADIUS can help you install, set up, and manage a FreeRADIUS system for your wireless (or any other) network.
These days, hackers are looking for any way into organizations large and small, and they know that many WiFi networks are vulnerable. Failing to protect your business from WiFi vulnerabilities is inexcusable. If you haven’t implemented RADIUS authentication for your WiFi network, the time to act is now. It’s easier than you think.
Don’t Set It and Forget It: Keeping Your RADIUS Network Secure
So you decided that whatever you were using for network security wasn’t getting the job done… either it didn’t scale with the growth in your user base, devices, or network design, or it was hindering your organization’s productivity. Or maybe you suffered a security breach. Whatever the case, you decided to make the jump to RADIUS authentication, and you’ve implemented a RADIUS server. You set it up to protect your network, including 802.1X security for your WiFi network. Everyone who needs access has sufficiently secure passwords to log in. Now you’re done, right?
Not so fast. Network security is a journey, not a destination. Simply implementing a RADIUS server is not enough; you still have some work to do to keep your network secure. Let’s have a look at the up-front and ongoing activities you need to do to maintain the security of your RADIUS network.
Review Your RADIUS Server Implementation
First, take a look at your RADIUS server implementation to make sure you haven’t missed anything critical:
- Do you have a security certificate? Security certificates are necessary for client software to verify that they are actually connecting to your RADIUS server (and not a clever impostor, such as with a man-in-the-middle attack) and to establish a secure (i.e., encrypted) connection to it. There are several options available for purchasing security certificates, or you can create your own. Each option has advantages and disadvantages, so if you haven’t implemented one (or more) already, do your homework and get one in place.
- Are clients verifying your RADIUS server? The flip side to having a security certificate is setting up the client software to verify against it. This is normally done at the operating-system level, and many operating systems enable verification by default. However, it’s worthwhile to check your standard-issue computers to ensure they actually are verifying server certificates.
- Got multiple DCs? If your organization uses Microsoft Active Directory, your RADIUS server should be set up to authenticate users against their AD credentials. If you have more than one domain controller (DC) — and you should, for redundancy and system resilience — you need to make sure any RADIUS server configuration changes are propagated to all of the DCs, or a DC failure can cause connection problems.
The Big Picture: Ongoing Vigilance
Outside the RADIUS server itself, there are a number of things you need to do on an ongoing basis to keep your network secure.
- Don’t skip the security updates. Your RADIUS server software and all your operating systems have regular patches and updates to address newly discovered vulnerabilities. Too many organizations put off implementing these updates, thinking there will be some slack time when it can be done. Pro tip: There is never any slack time, and the longer you put it off, the more time-consuming it becomes to install all the accumulated updates. If you don’t have the resources to install patches as soon as they come out, schedule a day each month or quarter for each server to be updated.
- Set up security standards and policies. If your organization doesn’t already have written security policies and standard procedures in place, now is the time. Policies for password complexity and expiration, local administrative access, and standard security procedures for deploying new hardware should all be written and enforced.
- Use encrypted connections. Unless everything that’s important to you always stays under your own roof, you can assume that at some point your network traffic flows to networks and devices that are outside your control, such as cloud services or wide-area networks. If it’s out of your control, you can’t be certain it’s secure. Make sure the data that goes outside your building is encrypted.
- Segregate visitor wireless access. Modern WiFi systems can enable separate access for staff and visitors. Your visitor access can have a separate SSID; separate, administer single-use or time-limited RADIUS authentication credentials with 802.1X security; and restrict access to the Internet only or to certain resources, such as printers or specific file shares. You don’t have to give visitors the keys to the kingdom on your WiFi network.
If this is all new to you, you aren’t alone. But a breach of your network is not a question of if; it’s a question of when. You owe it to your business to keep its network as secure as possible. Network RADIUS can help not only with the implementation of a RADIUS server solution, but also with the ongoing care that’s needed to keep it secure.
What We Do
RADIUS, SQL (MySQL, PostgreSQL, Oracle), LDAP, Active Directory, 802.1X (EAP), High Availability, IT administration, DNS, DHCP, Proxying, Roaming, WiFi, WiMAX, Linux, *BSD, Solaris, Windows, Mac OS X, Switches (Cisco, HP, Juniper, etc.), Solution Architecture, Review, Performance, Optimization
100 Centrepointe Drive, Suite 200
Ottawa, ON, Canada
Telephone: +33 4 85 88 22 67
Fax: +33 4 56 80 95 75