How to Maintain Network Security For Remote Workers with RADIUS MFA

Written by Kelsey Kinzer on October 7, 2021

Share This Article

It’s Cybersecurity Awareness Month! In honor of the theme — Do Your Part. #BeCyberSmart — we’re doing our part by educating IT teams and organizations on protecting themselves. Throughout October, the JumpCloud blog will focus on top cybersecurity issues, from IT admin best practices to CISO responsibilities. Tune back in throughout the month for new cybersecurity content or check out our archive of existing security articles for cybersecurity insights written specifically for the IT professional.


A core task for many IT admins is figuring out how to properly control network access to ensure security. With COVID-19 creating a dramatic shift in the way that people work, secure remote access to networks is critical. Whereas before, most IT teams maintained a singular, on-prem working environment, now countless IT professionals have been required to enable remote access to vital resources for all users.

Virtual private networks (VPNs) have been used for many years and are an effective way to provide remote network access, but they aren’t fully secure by themselves. Multi-factor authentication (MFA) offers a stronger safeguard to the login process, especially when implemented in conjunction with RADIUS. In this blog post, we’ll discuss the different strategies for securing your corporate network, and look at how they can work in tandem.

What are the Different Ways to Maintain Network Security?

VPNs, MFA, and RADIUS are all user authentication mechanisms that are well-suited to address the network security challenges of a fully remote or hybrid workplace model. Working in harmony, they can create a very strong authentication and security workflow—but let’s break down some of their individual characteristics.

1. Virtual Private Networks (VPNs)

VPN technology encrypts and tunnels data packets between devices and a centrally located VPN server. Businesses use these connections to allow employees to access the corporate network when they are not physically connected to the network (either through an ethernet connection of WiFi), such as when working from home or traveling for business purposes. 

An on-demand VPN service is used by employees to connect to the corporate network when they want to access resources that live strictly within the bounds of the corporate network, such as files, databases, applications, and other internal information. VPN technology offers benefits to business travelers and remote workers that include: 

  • Gaining access to company resources even if you’re out of the office
  • Protecting your data and identity while you’re on public Wi-Fi or other untrusted networks

However, this option does not stand alone as a robust security measure. Without additional protections in place, any attacker that can penetrate the VPN will be able to be on the same network as  critical company resources.

2. Multi-Factor Authentication (MFA)

MFA, also known as two-factor authentication (2FA), is an additional level of security that makes it more difficult for cyber criminals to gain unauthorized access to accounts by requiring you to use multiple “factors” to complete authentication; generally speaking, one would provide something they know, such as a password or PIN code, in addition to something they have (like a hardware token or code from an authenticator app) or something they are (like a fingerprint or face scan).

It’s important to implement MFA for remote workers as well as those who work on-site, as it provides yet another layer of protection against the risk of unauthorized account access and passwords being sniffed out by hackers using keystroke loggers or network monitoring programs. 

MFA is also especially effective against phishing attacks. Anyone who has your username and password can attempt to access your account, but only someone with your physical possession of the second authentication factor can get in.

3. The RADIUS Protocol

This protocol permits centralized authentication, authorization, and accounting (AAA) management of devices connecting to and using networks with Remote Authentication Dial-In User Service (RADIUS). 

Essentially, the RADIUS protocol and server can be designed to authenticate user credentials against a core IdP, which typically takes the form of either an on-prem or, in more modern IT environments, a cloud directory. The latter provides the added benefits that help ensure IT admins can manage user credentials from a centralized location and simplifies the process to stand up, configure, and maintain their own endpoints. This significantly cuts down on overhead, which means admins can have better control of user access wherever they may be (remote or on-prem). 

RADIUS is now often associated with securing Wi-Fi networks, which grants admins much more control over who can access via Wi-Fi and what resources are available to them (through VLAN tagging). However, RADIUS can be used in much the same way to support and secure access to the network over VPN.

What is the Best Way to Maintain Network Security? 

The best way for small to medium-sized enterprises (SMEs) to maintain network security is to take a combination approach: wherever necessary, require remote workers to connect to their VPN, establish the method of authentication through RADIUS, and secure that access transaction with MFA.

In general, VPNs require a username and password combination along with a shared secret and/or certificate for authentication. Depending on how they’re implemented, however, the username/password pair may be a shared set of credentials across the organization, much like many have done for Wi-Fi access. With a shared set of VPN credentials, organizations open themselves up to potential security risks.

With users working in environments outside of the IT department’s direct influence (e.g. their houses), end users and the shared credentials are more susceptible to attack. If, for any reason, that shared user identity is compromised, the VPN is subsequently compromised, as well as the connected services. Even if VPN access is not granted from a shared credential, but an individual one per user, attacks ranging from a brute force carried out by bots to phishing attacks on unsuspecting users can be very effective.

As such, IT admins need solutions like RADIUS servers to improve their VPN security. Adding RADIUS authentication to VPN access provides tighter security than just an unmanaged password alone. Additionally, RADIUS servers can be difficult to maintain and troubleshoot, so many organizations may not even bother using them at all, and will thus have a harder time than others securing their VPNs.

To add yet another layer of security, IT admins should also enforce MFA on their VPN connections to ensure that their remote workers are as secure as possible. Through cloud-hosted RADIUS, MFA can secure a VPN even further by requiring a second factor beyond the user’s managed credentials upon login, further reducing the risk of a breach.

What is the Easiest Way to Add MFA to RADIUS-backed VPNs?

gif showing MFA

As you can see, RADIUS, MFA, and VPN all enhance network security in their own way, and each of them can directly complement one another. This one-two-three punch of network access creates multiple layers of security to protect both the end user and the corporate network, and, when supported by a cloud directory, there are many fail-safes built in to grant IT admins the alerting and capabilities to shut down unwanted access should it ever penetrate these controls. 

The challenge is, of course, setting it all up in a legacy environment.

This is where the “as-a-Service” model really shines. The JumpCloud Directory Platform, for example, enables IT admins and DevOps engineers to add MFA to a RADIUS-backed VPN without anything on-prem and with the added convenience of a cloud-based solution.

IT admins and DevOps engineers can simply point their VPNs to authenticate through the JumpCloud RADIUS service and avoid any on-prem infrastructure, while still gaining the identity management control they need over their VPNs. You can explore this functionality for yourself and sign up for a JumpCloud Free account today. In fact, the full functionality of our cloud directory platform—including MFA, RADIUS, VPN, and a lot more—is completely free for up to 10 users and 10 devices.

 

Continue Learning with our Newsletter