Adding MFA To RADIUS Backed VPNs

By Vince Lujan Posted June 18, 2019

Adding MFA to RADIUS-backed VPNs is perhaps the best way to secure user access to remote networks. The RADIUS protocol is already quite adept at securing network access, but add in the extra layers of authentication and encryption with MFA and VPN, and it’s hard to beat.

Of course, the challenge with solutions such as these usually resides in setting it all up. The lot of them are traditionally on-prem, and layering multiple security and IAM solutions on top of each other in a legacy environment can be very complex and difficult to manage.

Fortunately, the cloud has enabled developers, ops personnel, and IT admins to reimagine legacy innovations to the point we are at today in which many traditional solutions can be delivered as a service. Specifically, let’s take a closer look at the advantages of adding MFA to a RADIUS-backed VPN in the cloud.

A Glimpse of the Past

To truly appreciate the benefits of the “as-a-Service” model in any situation, it takes an understanding of legacy environments. With respect to adding MFA to RADIUS-backed VPNs, as previously noted, solutions such as these have historically been on-prem and challenging to implement and maintain.

In order to implement this type of setup in a legacy environment, IT admins and DevOps engineers have historically required a legacy identity provider (IdP) such as Microsoft® Active Directory® (AD). AD required on-prem Windows server infrastructure to operate—and MFA, RADIUS, and VPN were typically separate add-ons to this on-prem implementation.

Layering add-on solutions on top of a legacy IdP presents a number of challenges for IT admins and DevOps engineers. They all basically require dedicated servers, integrations, security and availability infrastructure, and more personnel to keep the engine running, so to speak. Additionally, AD in particular is highly focused on Windows-based environments.

The “as-a-Service” model effectively shifts all of that to a third-party service provider and is generally more holistic in regards to support for disparate IT resources, which is why the cloud services market is booming. At any rate, once it’s all set up, how does it work?

MFA, RADIUS, and VPN in a Nutshell

Essentially, MFA, RADIUS, and VPNs are all user authentication mechanisms aimed at enhancing network security. Working in harmony, they can create a very strong authentication and security workflow—but let’s break down some of their individual characteristics.

Remote Authentication Dial-In User Service

RADIUS is a network access protocol that is generally used for network infrastructure access and equipment. Essentially, the RADIUS protocol and server can be designed to authenticate user credentials against a core IdP, such as AD in traditional environments or perhaps a cloud directory in modern instances. The latter ensures that IT admins can manage user credentials from a centralized location and ensures that individual user identities are secure, wherever they may be (remote or on-prem). RADIUS is particularly powerful with WiFi and VPN networks.

Multi-Factor Authentication

MFA basically means that you need more than just your core username and password to authenticate and gain access to an IT resources – in this case a network, and through the RADIUS protocol. In practice, a user submits their core username and password in addition to a secure MFA token (such as a numerical code from the Google Authenticator app). With respect to RADIUS, that basically means adding an extra step to the authentication workflow previously described. As a result, the authentication workflow shall remain secure even in the event that the core user identity has been compromised.

Virtual Private Network

A VPN essentially creates an encrypted tunnel that enables users to access remote resources. For example, I am writing this blog post from a local café, but I am still able to securely connect to the IT resources that I have been provisioned from this remote location. With respect to RADIUS and MFA, I used both to authenticate and gain access to my VPN. In effect, a bad actor would theoretically be unable to view any of my network traffic as well as login using my VPN credentials should they be compromised. I can rest assured that my company’s critical resources are not at risk.

Adding MFA to RADIUS-Backed VPNs: The Easy Way

As you can see, RADIUS, MFA, and VPN all enhance network security in their own way, and each of them can directly complement one another. The challenge is, of course, setting it all up—especially in a legacy environment. However, that’s where the “as-a-Service” model really shines. The Directory-as-a-Service® platform, for example, enables IT admins and DevOps engineers to add MFA to a RADIUS-backed VPN without anything on-prem and with the added convenience of a cloud-based solution.

As a result, IT admins and DevOps engineers can simply point their VPNs to authenticate through the JumpCloud RADIUS service. Thus, avoiding any on-prem infrastructure, but still gaining the identity management control that they need over their VPNs. You can demo this functionality for yourself by signing up for a free JumpCloud account. In fact, the full functionality of the Directory-as-a-Service platform—including MFA, RADIUS, VPN, and a lot more—is free for up to 10 users. Contact JumpCloud if you have any questions.

Vince Lujan

Vince is a writer and videographer at JumpCloud. Originally from a small village just outside of Albuquerque, he now calls Boulder home. When Vince is not developing content for JumpCloud, he can usually be found doing creek stuff.

Recent Posts