Organizations that leverage Microsoft Active Directory (AD) have a growing need to connect their core user identities to their WiFi network(s) as securely as possible. This can be done by enabling users to authenticate uniquely to the network rather than via a shared SSID and passphrase. This method of WiFi authentication leverages the backend directory services platform to validate user access using the RADIUS protocol and a RADIUS server.
This article will dive into a few related topics including network access security, an explanation of RADIUS, Microsoft’s version of RADIUS, integrating Active Directory and RADIUS, and a modern directory solution with native RADIUS capabilities.
Network Access Security
WiFi networks are typically secured with a single, shared SSID and passphrase, but this approach has proven to be both insecure and inefficient when it comes to providing access to your organization’s wireless network.
If your shared SSID or passphrase is complex, there’s a good chance of it regularly being written down or shared on whiteboards. Both of these scenarios present an opportunity for anybody who has access to your building to see them. In some cases, the WiFi signal reaches the building next door, the parking lot, or the sidewalk. So, when a person obtains the SSID or passphrase, they don’t even have to be in the office to gain access to the organization’s network.
Besides security risks, securing WiFi networks in this way is also inefficient. When people join and leave the organization, the passphrase has to be rotated each time, and this adds overhead and frustration both to admins and to existing employees just looking to do their jobs.
The solution to this WiFi security problem is to uniquely authenticate user access to the network. This both eliminates the need for a shared passphrase and ensures that IT won’t have to reset the password every time an employee leaves the organization.
Syncing AD with WiFi Networks Through RADIUS
This unique authentication strategy can be achieved through the use of the RADIUS protocol, which improves WiFi security and can be delivered and implemented in a variety of ways.
What Is RADIUS?
RADIUS is a network authentication protocol that requires a unique set of credentials for WiFi access instead of a shared WPA key. With a RADIUS server, users can silently authenticate to AD to ensure that resource access is secured.
Leveraging RADIUS infrastructure, however, requires intense technical integration and configuration to run properly. The RADIUS servers themselves need to be set up, and wireless access points need to be directed to route authentications through the RADIUS server. Then, the RADIUS server needs to be integrated with the on-prem Active Directory infrastructure in order to validate end user credentials before WiFi access is granted.
Beyond that, the RADIUS infrastructure needs to be constantly maintained to ensure proper operation, and often requires redundancy to avoid mishaps. This work is tedious and costly, and it introduces many moving parts, which all have the capability to fail.
Microsoft’s Version of RADIUS
To streamline some of this process, Microsoft created their own version of a RADIUS server, called Network Policy Server (NPS). While effective for connecting Windows systems to WiFi through AD, NPS and other similar RADIUS implementations such as FreeRADIUS present a couple of major issues to IT organizations.
First and foremost, by implementing these types of RADIUS servers IT organizations further entrench their infrastructure on-prem. In an era where much of an organization’s infrastructure can be leveraged from the cloud, keeping infrastructure on-prem leads to an outdated IT environment that’s harder to integrate with new, modern infrastructure. Plus, keeping and adding infrastructure on-prem means significant implementation hassles in terms of setting up and maintaining servers. Beyond that, RADIUS add-on implementations rack up overhead costs, creating a drain on IT budgets.
“Active Directory as-a-Service” and RADIUS
All of this is to say that IT admins aren’t excited about purchasing, storing, and maintaining on-prem infrastructure. Even Microsoft Active Directory is becoming less and less desirable for IT organizations because of its substantial on-prem footprint. Instead, IT admins are looking for a cloud-hosted solution such as a modern identity provider that includes RADIUS authentication capabilities. IT organizations think of this approach as an “Active Directory as-a-service” implementation with RADIUS authentication included.
Of course, IT admins realize that there isn’t such a thing as Active Directory as-a-service which makes it a much more difficult problem to solve. There are hosted Active Directory instances, but those aren’t offered as SaaS-based services and the cloud identity management solution from Microsoft, Azure Active Directory, isn’t a cloud directory service, but rather a complement to AD.
Modern Cloud-Based Directory Services WiFi Authentication
The good news is that there is Directory-as-a-Service which is a core identity provider that includes native Cloud RADIUS authentication capabilities, and it’s called the JumpCloud Directory Platform. With JumpCloud, you get to simply enjoy the security benefits that RADIUS offers without having to deal with the hassle. JumpCloud manages the security, availability, and uptime that comes with RADIUS infrastructure.
JumpCloud can extend or replace AD, depending on your organization’s goals, which allows you to use JumpCloud’s RADIUS capabilities across your users whether they remain in AD or not.
On top of that, with JumpCloud’s open directory, each user’s credentials can be used to securely access resources other than just WiFi. They can also be used to authenticate to Linux, Mac, and Windows systems, on-prem and remote servers in AWS and GCP, LDAP and SAML-based applications, and virtual and physical file storage. With JumpCloud, IT not only significantly enhances WiFi access security, but the security of the organization’s overall IT infrastructure.
JumpCloud, Active Directory, and RADIUS
Learn more about how JumpCloud and Cloud RADIUS fit into your IT environment, whether you’re looking to extend or replace Active Directory. You can do so by trying out JumpCloud’s entire platform for free, up to 10 users and 10 devices, with no commitment. You can also get in contact with us to speak to an expert, or request a demo of our platform.