How Does the RADIUS Protocol Improve Credential Management?

Image of a computer with code on the screen in high contrast colors.
Protect your network!

Remote work and hybrid work schemes have changed the way companies need to secure and configure their networks. Digital nomads travel the world and log into the company network to work remotely. Remote workers also split their time between the office and home. This is the new normal! That said, the need to have a secure network is paramount. In this regard, the Remote Authentication Dial-In User Service or RADIUS protocol offers you a more secure network

RADIUS helps you use your self-managed credentials instead of a single sign-on password shared by many. In this article, you’ll learn about the RADIUS protocol and how it can benefit your company.

First, let’s learn what RADIUS is. 

What Is the RADIUS Protocol?

RADIUS is a centralized network protocol that can authenticate users connecting to your network. This protocol primarily aims to check credentials. Then, it either allow or deny access to the network. Before we get into how it works, let’s define its components.

Components of RADIUS

RADIUS consists of 3 main components

  • Client: a lightweight program that asks you for your credentials and then forwards them to the RADIUS server for validation. 
  • Network Access Server (NAS): a gateway between the user outside and the network. 
  • RADIUS Server: the server that validates credentials. It can also conduct time tracking and assess connection details. 

How Does RADIUS Authentication Work?

The below diagram shows how a user can authenticate with a RADIUS protocol server. Let’s walk through the 6 steps of authentication:

  1. User attempts to authenticate with a Network Access Server (NAS)
  2. The NAS requests a username and password from the user
  3. User adds credentials
  4. RADIUS client sends the encrypted credentials to the RADIUS server
  5. RADIUS server provides a response
  6. Client acts on services associated with accepting or rejecting the scenario 
Infographic of how a user interacts with RADIUS and its components.
Secure your network with RADIUS. (Source: Cisco)

Let’s also take a look at the 2 kinds of authentication models RADIUS uses

1. Password Authentication Protocol (PAP)

The RADIUS client passes the remote user’s credentials to the authentication server. If correct, the server grants the user access to the network. Conversely, if incorrect, the server denies the user access to the network.  

2. Challenge Handshake Authentication Protocol (CHAP)

CHAP is more secure than PAP because it relies on the client and server, which uses an encrypted shared secret. The encryption also gives it a leg up over PAP. Additionally, you can set it up to randomly check the credentials. If something changed mid-session at that random check, the user would be disconnected from the network. 

With these models in mind, RADIUS also works with Wi-Fi. Let’s consider that next.

How Does RADIUS Work with Wi-Fi? 

The RADIUS protocol can make Wi-Fi more secure by using the same authentication methods to connect to Wi-Fi rather than a network. So, instead of connecting to the Wi-Fi router, the authentication passes to the RADIUS server to validate credentials. In this way, you have a third party doing the authentication to sign into the Wi-Fi. This process will allow you to have various login credentials besides a single password. 

RADIUS protocol has many advantages but it also has some drawbacks. Let’s chech them next.

Pros and Cons of RADIUS Authentication

Here are the top 5 pros and cons of using the RADIUS protocol. 

PROS CONS
Better security  On-premise set up
No password management: users manage their own credentials Hard to set up if you already use an on-premise tool like an active directory. 
Central point for authentication  If not set up correctly, can cause security issues
Secure VPN authentication  Complicated configuration 
Uses 802.1X session encryption to protect user sessions Difficult implementation  
Pros and cons of RADIUS authentication.

Final Thoughts

RADIUS protocol has 3 main components that work together to authenticate users using one of two authentication methods; PAP and CHAP. The authentication methods make RADIUS useful in many diverse business structures. They also offer many benefits to improve how you protect your network. Overall, if your business has remote workers, you should consider RADIUS authentication.

If you have further questions, check out the FAQ and Resources sections below. 

FAQ

What is the main advantage of RADIUS?

The main advantage of using the RADIUS protocol to meet your network authentication needs is that each user sets their own password and manages it. This means less work for a network administrator who would have to manage passwords. Also, no people would have to share a single password. In short, this makes it much easier to prevent bad actors from getting your credentials.

Do I need active directory services if I use RADIUS for credential security?

It depends. Users have individual credentials, secure VPN authentication, and a high level of session encryption. The encryption protects the data traveling back and forth in open remote sessions. You also protect the network by not storing details centrally on an active directory server that’s internet-facing, although you can have a backend active directory service. 

What OSI level does RADIUS operate on?

The RADIUS protocol operates on layer 7 of the Open Systems Interconnection (OSI) Network model. Level 7 is the application layer. This is the human-computer connection level, where applications can access the network and its services. This means any cyber-threats that disrupt your operating system, kernel, or firmware will impact your RADIUS solution. 

Does RADIUS require an active directory on-site server?

You can use one if you move your RADIUS to the cloud. Most times, when companies implement RADIUS, they use the old Active Directory to back-end the credentials database for the RADIUS protocol. You can go serverless with RADIUS, but you’ll need a cloud-based service to replace your server. 

Can RADIUS be used with Azure?

Yes, however, Microsoft has a role called Network Policy Server, which can do the job of a RADIUS server and support the authentication tasks. Azure Active Directory allows you to configure multi-factor authentication for a RADIUS-based system. 

Resources

TechGenix: Article on Azure MFA with RADIUS

Learn how to use Azure MFA with a RADIUS authentication protocol. 

Microsoft: Article on RADIUS Authentication Integration with Azure

Discover how to integrate RADIUS authentication into Azure’s multi-factor authentication server.

TechGenix: Article on How Microsoft’s New SMB Authentication Rate Limiter Improves Security

Find out how Microsoft’s SMB authentication rate limiter improves network security. 

TechGenix: News on MS Exchange Basic Authentication  

Find out when basic authentication on MS Exchange will be turned off. 

TechGenix: Article on Common Network Threats 

Learn about common network threats and how to protect yourself. 

Leave a Reply

Your email address will not be published.