News and articles

Tips, tricks and other information about FreeRADIUS and AAA.

How one-time passwords work

One-time passwords (OTP) and multi-factor authentication (MFA) are important mechanisms used to improve security. Both these strategies can combine the username and password credentials with a one-time token as part of the sign-in process. The one-time token is usually supplied through an authentication app, or a small separate piece of hardware. In network security, using a one-time token is common practice for activites such as signing into private networks through VPN.

While one-time passwords are useful, the authentication method that is used to transmit the user’s credentials may not be compatible with the use of OTP.

How authentication protocols work

Choosing an authentication protocol is one of the most important decisions when designing a RADIUS ecosystem.

There are a variety of authentication protocols to choose from, each with their own set of advantages, disadvantages, and constraints. In general, we recommend using PAP whenever possible. It is compatible with all known back-end databases, and it has no known security issues.

This article outlines the most common authentication protocols, how they work, and the implications of using them.

Authentication systems and protocol compatibility

In many network configurations, there will be some transactions for which the RADIUS server will not perform the authentication itself, but simply pass credentials to a third party system and rely on the pass/fail response it gets from that system. Unfortunately, not all of these authentication systems work with all password storage formats. In these scenarios, it is important to realize that the incompatibility is between the authentication system and the password format, not the RADIUS system.

Why you should design for a worst case scenario

If you live in an earthquake zone, it’s important to engineer buildings to survive an earthquake. You don’t know when an earthquake will happen, or where exactly, or how big it’s going to be, but you know that it will happen at some point during the lifetime of the building. And the consequences of not earthquake proofing can be deadly.

The same goes for your critical network infrastructure. At some point, some part of your network will go down. The consequences are not usually deadly, but it can feel that way when it’s happening to you.