Understanding Radius Servers
Learn about the features and benefits of RADIUS server.
Table of Contents
So what is a RADIUS server, really?
If the RADIUS protocol were a person, it would be an old man shaking his cane and yelling at kids to get off his lawn. RADIUS stands for Remote Authentication Dial-In User Service, which should give you a clue of how long it’s been around (since the early 90’s!) In fact, it was originally designed for organizations like ISPs that had many users connecting remotely via point-to-point serial links (like a dial-up connection) but it has since evolved to provide security for remote access across several types of network connections like VPN, wired, and wireless.
A RADIUS server is a network device using the RADIUS protocol that handles AAA for your network: Authentication, Authorization, and Accounting. These are 3 key elements of network security:
- Authentication: Are you allowed to use this network?
- Authorization: Ok, you got in the door - what resources are you allowed to use?
- Accounting: How long were you here, and how much data (or other resources) did you use?
To use RADIUS you need two things:
- A RADIUS server
- An IDP (Identity Provider; basically a directory of user/device information). You need an IDP because the RADIUS server itself does not store any user information. Therefore it needs a directory to check. Common IDPs include Azure AD, Google, & Okta.
PLACEHOLDER: Graph or Video
Under the Hood
So what happens exactly when you click “connect”?
- The RADIUS client (that’s your laptop) sends an Access-Request message to the RAIDUS server (this has a username and encrypted password OR has certificate details to compare against the CRL)
- RADIUS server reads the information from the Access-Request & compares it against the IDP (Azure AD, G-suite, etc.)
- If a match is found, the RADIUS server then checks if there is an access policy or profile that matches the user credentials (for instance, if you were in the “HR” group in Azure AD, you would probably have access to salary information and payroll data; if you were in “Finance” you might have access to budgets and quarterly results, etc.)
- RADIUS server will then send an Access-Accept message if everything is all good or it will send an Access-Reject message.
- The Access-Accept message will contain a filter ID and a shared secret. If the shared secret does not match what the client has, the client will reject the message.
- If it does match, the RAIDUS server will then connect the user to the specific RADIUS group depending on the Filter ID.
- RADIUS uses the filter ID to do Role-based authentication.
Why have a RADIUS Server?
RADIUS provides centralized authentication services for your network - and it lets you decide who can access what (also known as role-based authentication.) So, RADIUS lets you say that Jenna in accounting has access to her company’s financial records, but only if she’s connecting via VPN. If she connects via WiFi, she can get to her e-mail and maybe a few other things, but not full access. Daniel, the new contractor you hired, can only connect via WiFi but not wired access since he doesn’t have a company-issued laptop. It really gives you a lot of options to make everything as secure as possible without over-complicating everything.
PLACEHOLDER: Graph or Video
With a RADIUS server, you have two options for connecting:
- User & Password, which of course we are all familiar with
- Certificate based, which is much more secure
Passwords are problematic in lots of ways - either they’re re-used for multiple sites, written down somewhere, never changed, etc.
Certificates are much more secure because they take the users out of it - when you send a request for authentication, the device presents its certificate to the RADIUS server. First the server will check if the certificate is expired. Assuming it's not, then it will compare it to a CRL (certificate revocation list.) If it’s all good there, then you’re in!
Nothing demonstrates the need for a RADIUS server like corporate WiFI, however. If you have a WiFi network (and who doesn’t?), you probably have one shared password. Take a walk through the office and you’ll see it written on post-it notes, whiteboards, company t-shirts….not exactly secure. And if a bad actor gets access to your WiFi network, it’s super easy to sniff the traffic on that network (one of the reasons you should never, ever log into your online banking details in a coffee shop, airport, or other public WiFi.) Not to mention what happens if you ever have to change that password, and deal with a never-ending parade of users whose smart phones won’t connect!
RADIUS to the rescue - put a RADIUS server before your Wireless Access Points and you get secure credential or certificate-based access for only the people you want to have access. Plus, no more passwords on post-its!
Cloud-Native RADIUS vs. Traditional on-Prem RADIUS server
So, having a RADIUS server sounds like a great way to make network secure, why don’t more people use them?
They can be a pain to set up - not super complicated per se, but it’s another piece of network equipment you must install, configure, and maintain. For a long time, security wasn’t a super high focus, and when most of your workforce was connecting via wired connections from one large office, it wasn’t as necessary. However, things look a lot different today - workers are connecting from all over the world with a variety of devices. The ever-growing list of massive data breaches has pushed security far up the list of important things for companies to focus on. The days of a password with a capital letter and a special character being enough are long past.
Thankfully, set up and maintenance does not have to be painful - there are several cloud-based solutions available that are quite easy to configure and maintain. Any network device that does not require after-hours patching windows is bound to be popular with IT folks. Of course, that prompts the question, what if you lose interest access, or worse, your cloud provider goes down? Solutions such as Portnox’s RADIUS-as-a-Service includes a local RADIUS server that you can download and install easily, and it acts as proxy server that caches authentication requests. That way, even when your users can’t get out to the world, they can still access local resources.