By Ryan Squires Posted August 12, 2019
For some out there, the comparison of LDAP vs RADIUS may not make much sense. But, for others, there are examples where there is some overlap between the abilities of each protocol—especially when it comes to network authentication. With that in mind, let’s take a look at LDAP vs RADIUS.
LDAP, or the Lightweight Directory Access Protocol, can be described as both a software solution and a protocol. In an LDAP server, you have a directory. The directory is a store of information about users, which comprises the software aspect of LDAP. The information stored about users are called attributes. Common attributes include usernames, passwords, email addresses, phone numbers, and so on. This is the software side.
The protocol aspect of LDAP has to do with accessing those attributes and verifying them or modifying them in some manner. Interacting with information in an LDAP server is based on the client/server architecture where the client makes requests using the LDAP “protocol” to the server and indicates the type of operation it wishes the server to perform on the directory.
One of the most common actions is the bind request. Essentially, a bind request is a request from a client (sent on behalf of a user) to authenticate against an LDAP server. Ultimately the bind process is to gain access to a particular resource—which could be a Linux® server, applications (such as Atlassian® Jira®), or on-prem storage system like a network attached storage (NAS) device, OpenVPN network, and some wireless networking gear. It should be noted that LDAP is most commonly used for authentication to technical applications leveraged by the technical community. Its flexibility and open source nature fits in well with engineers, developers, operations personnel, and more.
Common Implementations of LDAP include:
- OpenLDAP™ – The most widely used open source LDAP implementation. As an open source solution, downloading the software is free, but setting it up on physical hardware is not. OpenLDAP is extremely flexible and can be used for authentication to many different types of resources, but ultimately all using the LDAP protocol.
- Apache Directory Server – An OpenLDAP offshoot with support for Kerberos as well as LDAP.
- Active Directory® – Active Directory makes use of LDAP for authentication, but it also uses many of Microsoft’s own proprietary authentication protocols. It lacks flexibility as compared to open source implementations.
- LDAP-as-a-Service – this cloud based service from JumpCloud® frees IT admins and DevOps engineers from having to setup, configure, and maintain on-prem LDAP servers. Provides authentication to applications, Linux servers, and OpenVPN networks among other IT resources.
RADIUS, or the Remote Access Dial-In User Service, is a tool created to authenticate user identities to networking infrastructure generally from a directory (e.g. OpenLDAP, Active Directory). Like LDAP, RADIUS serves as both a piece of software and a protocol. Essentially, that means that RADIUS can store user identities for authentication purposes, but the work of actually performing those authentications is generally delegated to a directory service (primarily because RADIUS isn’t a popular authentication protocol with applications and systems – thus requiring another user store, so ultimately having one identity provider makes more sense). While RADIUS has the ability to store some basic user attributes like the username and password, the other attributes are generally focused on the networking side such as VLAN placement.
The primary use case for RADIUS is to centralize authentications to many different types of networking gear. Those devices could include WAPs, switches, VPNs, routers, and many more. Essentially, RADIUS provides a way to secure your networks by providing each user their own set of credentials—no more shared network credentials written on a whiteboard such as in the case of WiFi or VPN access. Because RADIUS works with so many different types of equipment, it has cemented its place in IT for another generation.
You’ll commonly see RADIUS used in different situations from ISPs and college campuses to enterprise infrastructure where there are many different users and a significant amount of networking gear. If each user had to have a multitude of login information for each type WAP, switch, or VPN that would clearly be a poor user experience or if a sysadmin needed to create user accounts on each piece of networking equipment it would be too time consuming. To mitigate that challenge, RADIUS centralizes that authentication so users have one set of credentials for a multitude of networking gear and infrastructure, while DevOps personnel can point all of their networking equipment to the central RADIUS server.
Common implementations include:
- FreeRADIUS – The most popular on-prem, self-managed RADIUS implementation on the market. Like OpenLDAP, while the software is free, the costs associated with actually setting it up (purchasing hardware, labor, etc.) and managing it are not.
- Cisco® ISE – More of a policy engine that dictates network access through various data points. Integrates with Cisco networking gear, which could lead to vendor tie-in.
- Microsoft NPS – Microsoft’s RADIUS server integrates tightly with Active Directory. Works best in Windows® environments negating some of the flexibility IT admins get with open source options.
- RADIUS-as-a-Service – Like LDAP-as-a-Service, this cloud-based RADIUS server frees IT admins and DevOps engineers from on-prem maintenance chores. Authenticates users of Windows, Mac, and Linux machines to all types of networking infrastructure including WAPs, 802.1x switches, VPNs, and more.
LDAP vs RADIUS: Similarities and Differences
Both LDAP and RADIUS are authentication protocols that enable users to access IT resources. Each protocol is available as an open source implementation, and each is standardized with an Internet Engineering Task Force Request for Comments or IETF RFC. Here is a link to each: LDAP and RADIUS. Further, each solution has a community surrounding it that provides further development, discussion, and best practices for implementation.
In short, these two protocols were created for different use cases. LDAP was created mainly for authentication to systems and applications. RADIUS, on the other hand, was initially created for low-bandwidth conditions across networks. It was designed to authenticate dial-up users via modems to remote servers over telephone lines. But, there is some overlap.
LDAP can be leveraged to authenticate users to OpenVPN networks in the same way that RADIUS can. Also, some WiFi networking gear allows LDAP authentication in place of RADIUS. For these purposes, IT admins and DevOps engineers may have a preference due to personal history or inclination. Depending on additional needs, however, one cannot replace the other. For example, you may need RADIUS reply attributes to place a given user, or group of users, in the correct virtual local area network or VLAN. You cannot do this with LDAP. Similarly, you wouldn’t use RADIUS to authenticate users to Linux servers.
Thankfully, you don’t have to choose one or the other. Each has their own unique attributes and areas of strength. That’s why the JumpCloud® Directory-as-a-Service® platform leverages both protocols so you get the ability to use LDAP and RADIUS—all with no on-prem infrastructure to tend to.
Try JumpCloud Today
In the decision between LDAP vs RADIUS you can choose both when you sign up for a free JumpCloud account. Plus, your first 10 users in the platform are free forever. In order to make sure your evaluation is extensive, you’re free to utilize the entire breadth of the platform including LDAP, RADIUS, and a whole lot more. Or, just to see it in action, schedule a demo today.