By Zach DeMeyer Posted June 24, 2019
The RADIUS protocol is a popular way to secure network access among IT admins. If admins were able to leverage two-factor authentication (2FA) when using RADIUS, that security capability would be greatly increased. Are there any options available on the market for IT admins to enable 2FA using RADIUS?
RADIUS and 2FA
Before we dive into 2FA using RADIUS, let’s first cover the concepts of RADIUS and 2FA as a whole.
The Remote Access Dial-In User Service (RADIUS) protocol has been in use since the earliest days of the internet. Originally used in dial-up networks (hence its name), RADIUS works in tandem with an IT organization’s identity provider (IdP) to federate access to network resources. For many organizations in the early days of RADIUS, this IdP was usually a directory service like Microsoft® Active Directory®.
Despite the general shift of networks to wireless access, RADIUS has withstood changes and adapted to be used for securing WiFi networks. Instead of the usual shared WPA credential used to access most wireless networks, RADIUS additionally leverages a username and password that is unique to each user (usually the person’s credentials stored within the IdP if integrated). By doing so, network security is increased due to the need for unique credentials.
With the increase in phishing and other identity attacks in our day and age, authentication that requires a username and password (like RADIUS) can be potentially at risk. Sophisticated social engineering schemes and clever tactics can fool even the most savvy of users. In order to combat this, many organizations have started adding an additional step to these login processes, called two-factor or multi-factor authentication (2FA or MFA).
This additional step often uses something a user has (a time-sensitive token generated on their phone, perhaps) along with something the user knows (their username/password) to ensure that they are who they say they are. By doing so, the concept behind 2FA is akin to that of zero trust security, that is, simply using a username and password does not mean a user can be trusted. By adding a second factor with 2FA, users are given an additional method for proving that they are trusted. As a security tool, 2FA is incredibly effective; Symantec found that 80% of recent identity breaches could have been prevented with the use of 2FA.
Two in Tandem
So, since RADIUS mirrors other logins that require a username and password, it makes sense to add 2FA to the process in order to further lock down network access. With that in mind, we reprise thequestion, what options are out there for enforcing 2FA using RADIUS?
2FA, RADIUS, and a Cloud Directory Service
Unfortunately, not very many RADIUS providers offer the option for adding 2FA. There is, however, a cloud directory service that does.
This cloud directory service, JumpCloud® Directory-as-a-Service®, completely offloads the need for implementing RADIUS and linking it to an IdP. Using a global web of cloud-hosted FreeRADIUS servers, dubbed RADIUS-as-a-Service, JumpCloud automatically links user identities to RADIUS. IT admins can also use JumpCloud’s built-in 2FA service to enforce tighter security on their RADIUS (and VPN) authentication.
Of course, enabling 2FA using RADIUS is only one of the many uses of JumpCloud Directory-as-a-Service. As the world’s first cloud directory service, IT organizations can use JumpCloud to manage their users, as well as their access to systems, networks, email, apps, infrastructure, and more from a single cloud admin console. A JumpCloud user can leverage a single set of credentials, protected by 2FA, to access virtually all of their IT resources, regardless of their platform, protocol, provider, or location.
Try JumpCloud Free
If you are interested in using 2FA to buff your RADIUS security, consider giving Directory-as-a-Service a try. You can sign up for a JumpCloud account absolutely free, with no credit card required, and gain full access to Directory-as-a-Service with ten complementary users in the product, usable forever.