Organizations that leverage Microsoft Active Directory often want to connect their core user identities to their WiFi network. The goal is to enable users to authenticate uniquely to the network in order to increase security. Ideally, the WiFi authentication leverages the backend directory services platform to validate user access. Most often this integration utilizes the RADIUS protocol and a RADIUS server such as FreeRADIUS. Connecting your WiFi network to the directory service is a major security enhancement that all organizations should undertake.
Directory Services Increases Security
With a shift from wired networks to WiFi networks , IT admins are searching for new ways to increase security. What once required on-prem access, can now be accessed from anywhere near the WiFi access point. A hacker can easily compromise the SSID and passphrase with easily available open source tools. As a result, IT admins connect the WiFi access point to the directory service. The directory service houses the core user identities for an organization and as a result is the authoritative authentication service for access. By connecting the WiFi network to the directory, each user must be uniquely authenticated, ensuring that a hacker compromising just the SSID and passphrase does not have enough to log in to the network.
RADIUS and Directory Services
The mechanism by which much of this occurs is through RADIUS. The WiFi access point is pointed to a RADIUS server (commonly FreeRADIUS) and the FreeRADIUS server then connects to the directory service. User credentials are entered into a supplicant that sits on the user’s device. The credentials are passed through the WiFi network to the RADIUS server securely through EAP-TTLS. The credentials are then validated against the directory service. If a user’s credentials pass, the user gains network entry. This process ensures that the user is uniquely authenticated every time they access the network. The user experience is such that the credentials are only entered once into the supplicant making the process seamless. There is no difference to the user between their current experience and the authentication process leveraging RADIUS after configuration.
Modern Cloud-based Directory Services WiFi Authentication
The challenge with this approach is on the IT admin’s side. The admin needs to manage the core directory service, the WiFi access points, and the RADIUS infrastructure. That’s a lot of systems to manage, configure, and integrate together. While many IT admins do it, any problems that arise are theirs to address and fix. Many IT organizations are shifting a great deal of their WiFi authentication infrastructure to a cloud Identity-as-a-Service provider. Among the components that are provided are the core directory service and the RADIUS infrastructure. The directory is a cloud-hosted directory service that enables connection to a wide variety of IT resources including systems, applications, and networks. The RADIUS infrastructure includes the RADIUS server and the connection to the directory service. WiFi endpoints are simply pointed to the cloud-hosted RADIUS endpoints. The benefit of this platform for IT organization is that they don’t need to have Active Directory, FreeRADIUS, or any of the connective integration code to provide WiFi authentication. It is all provided for the organization as a SaaS-based service.
If you would like to learn more about how JumpCloud can be your cloud directory service and WiFi authentication platform, drop us a note. We’d be happy to discuss with you how our platform can help. Alternatively, if you would like to try it for yourself, please sign-up for a free account. Your first 10 users and 10 devices are free.