For some out there, the comparison of LDAP versus RADIUS may not make much sense. But, for others, there are examples where there is some overlap between the abilities of each protocol—especially when it comes to network authentication. With that in mind, let’s take a look at LDAP versus RADIUS.
LDAP, or the Lightweight Directory Access Protocol, can be described as both a software solution and a protocol. In an LDAP server, you have a directory. The directory is a store of information about users, their attributes, and group memberships among other details, which comprises the software aspect of LDAP. Common attributes include usernames, passwords, email addresses, phone numbers, and so on. Group membership enables a collection of users to be granted similar access rights or treated as one group for efficiency.
The protocol aspect of LDAP has to do with accessing those attributes and verifying them or modifying them in some manner. Interacting with information in an LDAP server is based on client/server architecture where the client makes requests using the LDAP “protocol” to the server and indicates the type of operation it wishes the server to perform on the directory.
One of the most common actions is the bind request. Essentially, a bind request is a request from a client (sent on behalf of a user) to authenticate against an LDAP server. Ultimately the bind process is to gain access to a particular resource—which could be a Linux® server, applications (such as Atlassian® Jira®), or on-prem storage system like a network attached storage (NAS) device, OpenVPN network, and some wireless networking gear. It should be noted that LDAP is most commonly used for authentication to technical applications leveraged by the technical community. Its flexibility and open source nature fits in well with engineers, developers, operations personnel, and more.
Common Implementations of LDAP (both the software and protocol) include:
- OpenLDAP™ – The most widely used open source LDAP implementation. As an open source solution, downloading the software is free, but setting it up on physical hardware is not. OpenLDAP is extremely flexible and can be used for authentication to many different types of resources, but ultimately all using the LDAP protocol. There are many other open source LDAP servers including 389 Directory Server, Open Directory, and more.
- Apache Directory Server – An OpenLDAP offshoot with support for Kerberos as well as LDAP.
- Active Directory® – Active Directory makes use of LDAP for authentication, but it also uses many of Microsoft’s own proprietary authentication protocols. It lacks flexibility as compared to open source implementations when it comes to LDAP.
- LDAP-as-a-Service – this cloud based service from JumpCloud® frees IT admins and DevOps engineers from having to setup, configure, and maintain on-prem LDAP servers. Provides authentication to applications, Linux servers, and OpenVPN networks among other IT resources.
RADIUS, or the Remote Access Dial-In User Service, is a tool created to authenticate user identities to networking infrastructure generally from a directory (e.g. OpenLDAP, Active Directory). Like LDAP, RADIUS serves as both a piece of software and a protocol.
Essentially, that means that RADIUS can store user identities for authentication purposes, but the work of actually performing those authentications is generally delegated to a directory service (primarily because RADIUS isn’t a popular authentication protocol with applications and systems – thus requiring another user store, so ultimately having one identity provider makes more sense). While RADIUS has the ability to store some basic user attributes like the username and password, the other attributes are generally focused on the networking side such as VLAN placement and ‘accounting’ which is essentially knowing who was logging in, when, and for how long.
The primary use case for RADIUS is to centralize authentications to many different types of networking gear. Those devices could include wireless access points, switches, VPNs, routers, and many more. Essentially, RADIUS provides a way to secure your networks by authenticating users via their own set of credentials—no more shared network credentials written on a whiteboard such as in the case of WiFi or VPN access.
Because RADIUS has been around for over two decades and works with so many different types of equipment, it has cemented its place in IT for another generation. You’ll commonly see RADIUS used in different situations from ISPs and college campuses to enterprise infrastructure where there are many different users and a significant amount of networking gear.
If each user had to have a multitude of login information for each WiFI network, switch, or VPN that would clearly be a poor user experience or if a sysadmin needed to create user accounts on each piece of networking equipment it would be too time consuming. To mitigate that challenge, RADIUS centralizes that authentication process so users have one set of credentials for a multitude of networks, networking gear, and infrastructure, while DevOps personnel can point all of their networking equipment to the central RADIUS server, thus saving them significant time.
Common implementations of RADIUS – both server and protocol – include:
- FreeRADIUS – The most popular on-prem, self-managed RADIUS implementation on the market. Like OpenLDAP, while the software is free, the costs associated with actually setting it up (purchasing hardware, labor, etc.) and managing it are not.
- Cisco® ISE – More of a policy engine that dictates network access through various data points. Integrates with Cisco networking gear, which could lead to vendor tie-in.
- Microsoft NPS – Microsoft’s RADIUS server integrates tightly with Active Directory. Works best in Windows® environments negating some of the flexibility IT admins get with open source options.
- RADIUS-as-a-Service – Like LDAP-as-a-Service, this cloud-based RADIUS server frees IT admins and DevOps engineers from on-prem maintenance chores. Authenticates users of Windows, Mac, and Linux machines to all types of networking infrastructure including wireless access points, 802.1x switches, VPNs, and more.
LDAP versus RADIUS: Similarities and Differences
Both LDAP and RADIUS are authentication protocols that enable users to access IT resources. Each protocol is available as an open source implementation, and each is standardized with an Internet Engineering Task Force Request for Comments or IETF RFC. Here is a link to each: LDAP and RADIUS. Further, each solution has a community surrounding it that provides further development, discussion, and best practices for implementation.
In short, these two protocols were created for different use cases. LDAP was created mainly for authentication to systems and applications. RADIUS, on the other hand, was initially created for low-bandwidth conditions across networks. It was designed to authenticate dial-up users via modems to remote servers over telephone lines. But, there is some overlap.
LDAP can be leveraged to authenticate users to OpenVPN networks in the same way that RADIUS can. Also, some WiFi networking gear allows LDAP authentication in place of RADIUS. For these purposes, IT admins and DevOps engineers may have a preference due to personal history or inclination.
Depending on additional needs, however, generally one cannot replace the other. For example, you may need RADIUS reply attributes to place a given user, or group of users, in the correct virtual local area network or VLAN. You cannot do this with LDAP. Similarly, you wouldn’t use RADIUS to authenticate users to Linux servers or share attributes about a user with an application.
Thankfully, you don’t have to choose one or the other. Each has their own unique attributes and areas of strength. That’s why the JumpCloud® Directory-as-a-Service® platform leverages both protocols so you get the ability to use LDAP and RADIUS—all with no on-prem infrastructure to tend to.
Try JumpCloud Today
In the decision between LDAP versus RADIUS you can choose both when you sign up for a free JumpCloud account. Plus, your first 10 users and 10 systems in the platform are free forever.
In order to make sure your evaluation is extensive, you’re free to use the entire breadth of the platform including LDAP, RADIUS, SAML, multi-factor authentication, MDM, system management, audit logging / governance tools, and a whole lot more. Or, just to see it in action, schedule a demo today.