By Greg Keller Posted July 7, 2017
The move to WiFi networks has been nearly universal. The good news is that there are a lot fewer ethernet cables out there to wrangle. The bad news, though, is that the security around WiFi networks is sorely lacking. Security-conscious organizations are creating unique access by integrating their WiFi infrastructure with their directory services. RADIUS is the glue that makes this WiFi authentication process work. So is RADIUS in the cloud right for you and your organization? Below are some key questions that IT admins have about RADIUS in the cloud.
Questions to Ask About WiFi Security with Cloud RADIUS
1. What is cloud RADIUS?
Cloud RADIUS is a SaaS-based service for leveraging the RADIUS protocol. Instead of IT admins running FreeRADIUS, that server and process is outsourced to a RADIUS-as-a-Service solution. All of the implementation and ongoing maintenance is handled by the provider, alleviating the burden from IT organizations.
Cloud RADIUS is also sometimes referred to as virtual RADIUS, hosted RADIUS, SaaS RADIUS, or RADIUS-as-a-Service.
2. What are the benefits of leveraging a RADIUS in the cloud solution?
A RADIUS in the cloud service can be extremely beneficial for IT organizations, especially when combined with a cloud-hosted directory service. There are a number of benefits to implementing a cloud RADIUS service within an IT organization, including:
Increased security – instead of only relying on a shared SSID and passphrase to secure the WiFi network, a hosted RADIUS solution uniquely authenticates each user to the WiFi network. Simply having access to the shared credentials isn’t enough to login to the network. This is a major improvement on network security.
Less work for IT – an outsourced RADIUS solution alleviates the burden of installing, configuring, and managing a RADIUS server, along with the associated work to ensure that each system is properly configured. Adding more work to the IT admin’s plate, in on-prem situations the FreeRADIUS server needs to be connected to the directory server as well. But, with RADIUS-as-a-Service the provider handles all of the implementation and ongoing management details for the cloud RADIUS service.
True Single Sign-On™ – IT admins can enable RADIUS integration with existing credentials, like those from G Suite or Office 365. As a result, end users don’t have to have yet another set of credentials to manage.
3. Why use RADIUS with my WiFi network?
Unfortunately, WiFi networks are insecure. IT admins would traditionally set up an SSID and passphrase in order to access the WiFi network. But existing encryption methods for WiFi have generally been viewed as insecure. As a result, security-conscious organizations will look for an added step to increase security to the WiFi network. Of course, IT admins are also cognizant of the increased hassle the end users could face.
A method to dramatically increase security involves integrating the WiFi network with the central, authoritative identity provider. Each user in this scenario is forced to uniquely log into the network rather than just simply utilizing the shared SSID and passphrase. The conduit between the WiFi network and the cloud directory service is the RADIUS server and protocol. A user’s credentials are passed via the appropriate RADIUS protocol for validation before access is granted. This approach to controlling access to the WiFi network is a major step up over shared WiFi credentials.
4. Do I need to reconfigure endpoints to make a RADIUS-as-a-Service solution work?
No. This is a significant benefit of RADIUS-as-a-Service. Systems are generally pre-configured to fully support the PEAP protocol without additional effort on the part of the IT admin. This is an important capability and feature that IT admins should leverage during an implementation.
5. Will a virtual RADIUS offering work with my wireless access points?
RADIUS-as-a-Service generally works with most wireless access points. As long as the WAPs support RADIUS, the cloud RADIUS offering should work fine with just a simple setting that points to the endpoint. It’s a good idea to check with the WiFi manufacturer to confirm their support of RADIUS.
6. What happens if my Internet connection goes down?
Internet connections can fail. When they do, the on-prem WAPs won’t be able to connect with the virtual RADIUS server in the cloud. Because the RADIUS server is integrated with a cloud directory service, an internet outage means that not only will the user not connect to the WiFi network, but even if they could, they would not be able to access the internet.
The simple resolution to work on the local network is to disable RADIUS authentication and allow for SSID and passphrase authentication to the WiFi network. End users will then be able to connect to the on-prem network, but will not be able to access the Internet, of course. Once Internet connectivity is restored, RADIUS-based authentication can also be resumed.
7. Is an outsourced RADIUS solution secure?
Yes. Security is an important component of a cloud RADIUS solution. The connection from the WAPs to the cloud RADIUS server are enclosed in a secure tunnel. The protocol used also has additional security features. The connection between the RADIUS server and the cloud-hosted directory service is via mutual TLS. Credentials stored in the hosted directory are one-way hashed and salted, and data at rest is encrypted as well.
8. Can I use G Suite or Office 365 credentials or does the user need another set of credentials?
Yes. In fact, this is a central benefit for many IT organizations. In order to achieve True Single Sign-On, IT admins would like to utilize one set of credentials for their end users. RADIUS-as-a-Service can leverage the end user’s G Suite or O365 credentials as the ones to access the WiFi network. Those credentials are entered into the device’s supplicant once and then automatically used each time the device is placed on the WiFi network.
9. Can my mobile devices leverage the SaaS RADIUS service?
Yes, smartphones and tablets can be forced to utilize the cloud RADIUS service as well. Users simply enter their core credentials into their device and access to the network is subsequently controlled through their unique credentials. Both iOS and Android devices support RADIUS authentication when accessing the WiFi network.
So is RADIUS in the Cloud Right for You?
Implementing RADIUS inside of an IT network is an important step to increasing the security of the WiFi network. The positive news is that with a SaaS RADIUS solution, IT admins don’t have to do the heavy lifting of making it all work.
Directory-as-a-Service® is an integrated cloud RADIUS solution and hosted directory service. IT admins simply point their WAPs to the virtual RADIUS servers in the cloud and then Directory-as-a-Service takes it from there by authenticating the user’s access to the WiFi network.