Outsourced WiFi Authentication

Written by Greg Keller on May 9, 2016

Share This Article

As organizations move to WiFi networks rather than wired, there are a new set of challenges facing IT admins: security risks. There is a movement to address these challenges by outsourcing WiFi authentication via a RADIUS-as-a-Service solution. This option has a two-fold benefit: one, to dramatically increase security; two, to off-load additional administrative work and infrastructure.

WiFi’s Security Threat Vector

Wireless networks are viewed as less secure than their wired predecessor in most cases. The problem stems from the history of early WiFi networks being left wide open for anybody to use. When encryption started to be prevalent, with networks being secured using an SSID key and passphrase, the approach was marginal at best. The encryption protocols in use are often weak and have been shown to be easily compromised with open-source solutions. Also, by their nature, WiFi networks are less secure because physical proximity is not a necessary requirement. With wired networks, a person would need to be within the office to connect into the network jack, but with WiFi the person could be outside of the building. As a result of these issues, WiFi is a serious threat vector that IT admins are hard-pressed to defuse.

A Simple, Yet Administratively Painful Solution

An approach to solving the insecurity of WiFi is to force users to have unique credentials to the network. Each person not only needs to have the SSID and passphrase (which is available to the entire office), but they also must be validated against a central directory service. The benefit of this is that every user already comes with credentials, so there is nothing new to learn. Additionally, if a user is not registered within the user database yet somehow obtained the SSID and passphrase, they are not granted access to the network. This simple approach is a massive step up in security.

The challenge with this approach is that the administrative set-up is painful. There are two common methods for setting up WiFi authentication with a directory service. One is a direct connection to an LDAP directory, and the other is by leveraging the RADIUS protocol. The LDAP approach works well, but has at least two immediate limitations: one, the organization must be leveraging LDAP or have access to LDAP; two, the user needs to log in with certain frequency. RADIUS also requires a server, but will connect to an existing directory service. Perhaps most importantly, RADIUS enables users to enter their credentials once and then not worry about updating them unless on a periodic basis as specified by the IT admin. This enables frictionless access to the network, but with dramatically increased security.

RADIUS in the Cloud: Simple, Painless and Secure

IT admins are loathe to add more infrastructure on-premises. Managing RADIUS servers, orchestrating the integration with WiFi access points and the core user directory, adds work to an already heavy workload. Fortunately, there is a less painful option. Modern IT organizations are outsourcing their WiFi authentication approach to RADIUS-as-a-Service providers. This approach creates a managed service around RADIUS, the core user directory service, and the authentication of WiFi users. There is nothing that is needed on-premises. Users simply enter their normal directory credentials into the supplicant, and then they are automatically joined to the WiFi network.

If you would like to learn more about how you can outsource your WiFi authentication via a Directory-as-a-Service platform, drop us a note. We’d be happy to help. Or, feel free to give it a try for yourself. Your first 10 users are free forever.

Continue Learning with our Newsletter