By Jon Griffin Posted June 8, 2017
WiFi networks have emerged as the standard for internal IT networks. The challenge for most organizations is how to secure those WiFi networks. One solution for this challenge is leveraging the RADIUS protocol to help lock down a WiFi network. Now, the cloud IAM feature virtual RADIUS is making this approach to identity security even easier.
Historically, networks have been wired, so locking down security was in some senses easier. A hacker would often have to physically be within the office to break into the network. Interestingly, even with wired networks a standard called 802.1x emerged to help lock down each port within a wired network. Effectively, the use of RADIUS is leveraging the same protocols to lock down the WiFi network.
The challenge with WiFi is that the signal permeates the world outside of the office. It is very difficult for IT admins to contain the signal inside of the building. As a result, a hacker could be in the building next door, the parking lot, or even in the lobby of the office space and see the signal. An additional risk is that many times the SSID is public and the passphrase is shared amongst the staff and may even be written down in numerous places. This means that changes in personnel would require a change in the passphrase, increasing the hassle factor for employees and IT admins alike.
The solution to this problem is to make logins to the WiFi network unique and backed by the user’s credentials within the core directory service. This is where RADIUS comes in. A FreeRADIUS server is often the conduit between the WiFi network and a directory service such as Microsoft Active Directory®. The challenge with this approach is that IT admins need to integrate everything together. The user’s endpoint needs to take the same protocol of RADIUS as the wireless access point and FreeRADIUS server. The WAP needs to be connected to the FreeRADIUS server, and then FreeRADIUS needs to integrate with the directory service. This integration ends up being difficult with a number of moving parts and, of course, the more moving parts, the more brittle it becomes.
As the identity management world has shifted to cloud identity management, one of the interesting areas of the cloud IAM world has been to enable a virtual RADIUS feature (also called Hosted RADIUS). This approach moves the on-prem FreeRADIUS server to the cloud, and allows it to be managed by the SaaS identity management provider. By doing this, the cloud RADIUS service takes the heavy lifting off of the IT organization’s plate. The integration between the SaaS RADIUS solution and the on-board cloud directory is seamless. On top of that, the WAP can simply be pointed to the RADIUS server in the cloud, and the endpoint doesn’t need any new software because the platform supports the PEAP authentication protocol.
With virtual RADIUS, not only does the IT organization increase the security of their WiFi network, they also get to off-load the infrastructure around the RADIUS server and the directory service. All of the responsibilities of security, networking, backups, and availability gets put on the third party provider. The cloud RADIUS service is also scalable, meaning that IT can purchase what they need at all times.
Learn More About Virtual RADIUS
If you would like to learn more about the benefit of the cloud IAM feature virtual RADIUS, drop us a note. Or, sign-up for a free Directory-as-a-Service account and check out our virtual RADIUS functionality. Your first 10 users are free forever.