OpenLDAP WiFi Authentication and RADIUS Support

By Greg Keller Posted April 27, 2016

As WiFi networks become more ubiquitous, IT admins are searching for ways that OpenLDAP can backend their WiFi authentication through RADIUS support. The good news is that OpenLDAP and FreeRADIUS can work well together. So, what’s the bad news? Because both are open source solutions, they each require a great deal of effort to install, configure, and maintain. The promise, though, is to be able to step-up security for your WiFi network without having to do a great deal of heavy lifting.

Why WiFi is So Widespread

The shift from wired networks to WiFi has been underway for a number of years now. Today, very few organizations today implementing wired networks. The cost of cabling is far too significant, and the lack of flexibility and agility are big drawbacks for employees. Modern organizations are creating flexible workspaces where employees and others can work together productively. Wireless connection to the network is a key part of making that happen, resulting in increases in productivity and employee morale. The challenge for IT is how to enable that flexibility and productivity while heightening security.

The Thin Line of WiFi Security

WiFi networks are notoriously insecure. The first WiFi implementations were protected by an SSID and passphrase. Eventually, those connections were encrypted, but the algorithms were weak enough to be easily broken. Of course, the benefit of WiFi is being able to pickup the signal without wires anywhere within the building. There is a downside, though. Since the signal is also available outside of the building, it is accessible to hackers parked on the street or in the parking lot. A few open source tools and a powerful laptop are all a good hacker needs to break into your WiFi network.

OpenLDAP, WiFi Authentication, and FreeRadius

IT admins know this and are taking steps to protect their organizations. The best way to make that happen is to connect the WiFi network to the core directory service. By enabling that connection, each user must uniquely login to the network. A shared SSID and passphrase is no longer enough to gain entry into the WiFi network. For those organizations that leverage OpenLDAP, that WiFi authentication can take place through integration with FreeRADIUS. The RADIUS server acts as a proxy for the directory service, ensuring that each user has securely logged in. On the user side, credentials are entered into an on-board supplicant, and the supplicant leverages RADIUS to securely authenticate.

Seal the Deal with the Radius-as-a-Service Platform

The approach is a best security practice, but it requires significant effort. A cloud-hosted OpenLDAP service that integrates RADIUS is a much better option for organizations. It shifts the management of OpenLDAP and FreeRADIUS to the service provider. IT organizations simply enter their users and direct their WiFi access points to the RADIUS-as-a-Service cloud platform. The rest of the work is done for the IT organization, including all of the management. The platform is called Directory-as-a-Service®, and it is an integrated cloud-hosted LDAP and RADIUS platform.

If you would like to learn more about how you can leverage OpenLDAP and FreeRADIUS for your WiFi authentication, drop us a note. We’d be happy to discuss it with you. Alternatively, if you would like to try JumpCloud’s Directory-as-a-Service, please sign-up for a free account. Your first 10 users are free forever.

Greg Keller

Greg is JumpCloud's Chief Product Officer, overseeing the product management team, product vision and go-to-market execution for the company's Directory-as-a-Service offering. The SaaS-based platform re-imagines Active Directory and LDAP for the cloud era, securely connecting and managing employees, their devices and IT applications.

Recent Posts