For some, the comparison of LDAP versus RADIUS may not make much sense. But, for others, there are instances where the abilities of each protocol overlap — especially when it comes to authenticating various networking devices. As the pandemic nears its end, organizations are opening their doors to welcome employees back into the office and creating hybrid work environments; with that and the emerging question of how end users will access their IT resources in mind, let’s take a look at LDAP versus RADIUS.
LDAP, or Lightweight Directory Access Protocol, is an authentication protocol that facilitates user access to various IT resources (applications, servers, networking equipment, file servers, and more). LDAP is also leveraged as a directory store of information about users, their attributes, and group memberships, among other details. LDAP enables IT administrators to store, access, authenticate, and modify those attributes along with utilizing those attributes during the authentication process.
One of the most common LDAP actions is the bind request. Essentially, a bind request is a request from a client (sent on behalf of a user) to authenticate against an LDAP server, which hosts the directory itself — the database of users along with their passwords, attributes, and more.
Ultimately the bind process is to gain access to a particular resource — which could be a Linux server, application (such as Atlassian Jira), an on-prem storage system like a network attached storage (NAS) device, an OpenVPN-based network, or wireless networking gear, among many others.
Common LDAP implementation choices include:
- OpenLDAP — The most widely used open-source LDAP implementation. As an open source solution, downloading the software is free, but setting it up on physical hardware is not. OpenLDAP is extremely flexible and can be used for authentication to many different types of resources, but ultimately all using the LDAP protocol. There are many other open-source LDAP servers including 389 Directory Server, Open Directory, and more.
- Apache Directory Server — An OpenLDAP offshoot with support for Kerberos and additional integrated management tools.
Compare Apache Directory With OpenLDAP
- Active Directory — Active Directory makes use of LDAP for authentication, but it also uses many of Microsoft’s own proprietary authentication protocols with its own implementation of Kerberos being the most significant. It lacks flexibility as compared to open source implementations when it comes to LDAP, but is used widely as the most popular on-prem, legacy directory service.
- LDAP-as-a-Service — This cloud based service from JumpCloud frees IT admins and DevOps engineers from having to set up, configure, and maintain on-prem LDAP servers. It provides authentication to applications, Linux servers, and OpenVPN networks, among other IT resources.
RADIUS, or Remote Access Dial-In User Service, is a protocol created to authenticate user identities to networks and networking infrastructure. Like LDAP, RADIUS has an integrated database to store users and attributes, but unlike LDAP, most RADIUS implementations delegate identity verification to a separate directory server.
The primary use case for RADIUS is to centralize authentications to access networks via WiFi or VPNs as well as to many different types of networking gear. Those devices could include wireless access points, switches, VPNs, routers, and many more.
RADIUS serves as both a piece of software and a protocol; RADIUS can store user identities for authentication purposes, but the work of actually performing those authentications is generally delegated to a directory service (primarily because RADIUS isn’t a popular authentication protocol with applications and systems and would thus require another user store).
While RADIUS has the ability to store basic user attributes, like usernames and passwords, many organizations also need other attributes in their network authentication environments that are generally focused on the networking side, such as VLAN placement and “accounting” data, which includes reporting on network activity — all of which RADIUS supports.
By centralizing authentications, RADIUS eliminates the need for users to remember different credentials for each network resource. This improves the user experience, eases the user provisioning and deprovisioning process, and removes the risk of leaked credentials to central network resources by replacing a shared master login with individual user-based logins (no more shared WiFi or VPN network credentials passed around the user population).
Because RADIUS has been around for over three decades and works with so many different types of equipment, it has cemented its place in IT for another generation. RADIUS is common in environments with many different users and a significant amount of networking gear, like ISPs, college campuses, and enterprise infrastructures. Common implementations of RADIUS — both software and protocol — include:
- FreeRADIUS — The most popular on-prem, self-managed RADIUS implementation on the market. Like OpenLDAP, while the software is free, there are costs associated with actually setting it up (purchasing hardware and funding labor).
- Cisco ISE — ISE is more of a policy engine that dictates network access through various data points. It integrates with Cisco networking gear, which could lead to vendor tie-in.
- Microsoft NPS — NPS, Microsoft’s RADIUS server, integrates tightly with Active Directory. It works best in Windows environments, negating some of the flexibility IT admins get with open-source options.
- RADIUS-as-a-Service — Like LDAP-as-a-Service, this cloud-based RADIUS server frees IT admins and DevOps engineers from on-prem maintenance. It authenticates Windows, Mac, and Linux users to all types of networking infrastructure, including wireless access points, 802.1x switches, VPNs, and more.
LDAP versus RADIUS: Similarities and Differences
Both LDAP and RADIUS are authentication protocols that enable users to access IT resources. Each protocol is available as an open source implementation, and each is standardized with an Internet Engineering Task Force Request for Comments or IETF RFC. Here is a link to each: LDAP and RADIUS. Further, each solution has a community surrounding it that provides further development, discussion, and best practices for implementation.
In short, these two protocols were created for different use cases. LDAP was created mainly for authentication to systems and applications. RADIUS, on the other hand, was initially created for low-bandwidth conditions across networks to authenticate dial-up users via modems to remote servers over telephone lines. Now, it is mainly used for authentication to networks and network resources.
LDAP and RADIUS can overlap: LDAP can be leveraged to authenticate users to OpenVPN networks in the same way that RADIUS can, for example. Also, some WiFi networking gear allows LDAP authentication in place of RADIUS. For these purposes, IT admins and DevOps engineers may have a preference based on their environment setup, company processes, or personal experience. .
Despite these overlaps, however, one generally cannot replace the other. For example, you may need RADIUS reply attributes to place a given user, or group of users, in the correct VLAN. You cannot do this with LDAP. Similarly, you wouldn’t use RADIUS to authenticate users to Linux servers or share user attributes with an application.
Fortunately, LDAP and RADIUS work well in tandem. That’s why the JumpCloud Directory Platform leverages both protocols so you get the ability to use LDAP and RADIUS—all with no on-prem infrastructure to tend to.
Try JumpCloud Today
JumpCloud integrates both the LDAP and RADIUS protocols into an integrated cloud-based directory that securely manages devices, users, and IT resources. It’s easy to try when you sign up for a JumpCloud free account. Your first 10 users and 10 systems in the platform are free. You’ll also get 10 days of Premium 24×7 in-app chat support.
In order to make sure your evaluation is extensive, you’re free to use the entire breadth of the JumpCloud platform, including LDAP, RADIUS, SAML, multi-factor authentication, MDM, system management, audit logging/governance tools, and a whole lot more. Or, to see it in action, schedule a demo today.