RADIUS + MFA = Secured VPNs

Written by Zach DeMeyer on April 28, 2020

Share This Article

A core task for many IT admins is figuring out how to properly control network access to ensure security. With current events leading to a dramatic shift in the way that people work, secure remote access to networks is critical.

Virtual private networks (VPNs) are an effective way to provide remote network access, but they aren’t fully secure by themselves. Multi-factor authentication (MFA) offers a stronger safeguard to login processes. In this blog post, we’ll discuss how using RADIUS + MFA in tandem can help IT organizations secure their VPNs.

Addressing Network Security With a Fully Remote Work Model

A VPN provides an encrypted tunnel to allow network access to only trusted users. Although VPNs can be used to create private internet access on a public network, for the purposes of this discussion, we will focus on how they allow remote access to on-premises network resources.

By nature, on-prem network resources tend to include critical organizational data, which demand tight security to avoid compromise. Often, IT admins promote network security by backending their WiFi or VPN connections with a RADIUS server. 


The RADIUS network authentication protocol leverages a directory of user identities, requiring unique credentials instead of just a shared password to authorize access. As such, it provides tight security to networks, ensuring that only known entities are accessing the network and its resources.

Although they can feature an onboard user directory, RADIUS servers allow IT admins to provision and deprovision access to the VPN or WiFi network through their core directory service. By leveraging the core directory service, IT organizations cut down on the number of credentials an end user needs to keep track of in order to access their resources. Since users have their own unique credentials, the chances that they’ll share their passwords with someone that could be a bad actor decreases significantly as well.

Of course, simply requiring unique credentials for VPN access through RADIUS doesn’t mean that a network is secured. After all, identities are the number one target for cybercriminals and, with the rise in phishing and other social engineering attacks, those bad actors could use compromised credentials to sneak into VPNs and their associated networks. 


Because so many critical services are housed behind firewalls, particularly those protected through a VPN, IT admins need to ensure that those services are secured — even if credentials are compromised. Adding MFA to VPN keeps the network out of reach from those that wish to do it harm through a stolen identity.

MFA requires an additional authentication factor, often a code found on the user’s smartphone through SMS or an application. In their study of device-based MFA, Google Security Blog found that it’s over 90% effective at preventing targeted attacks on an identity, with over 96% effectiveness against bulk phishing attempts, and 100% effectiveness against automated bots.

When it comes to stopping attacks upon VPNs, combining RADIUS with MFA means that IT admins can rest assured that their users will have secured access to their resources, regardless of where they are in the world.

Implementing RADIUS + MFA

The good news is that modern solutions like Directory-as-a-Service® offer cloud RADIUS + MFA that any organization can roll out across a fully remote workforce or one in a brick-and-mortar office. These cloud-hosted solutions take the usual workload out of implementing RADIUS and MFA, using pre-configured cloud servers to provide global availability, and subsequently remote management capabilities.

Directory-as-a-Service (DaaS) acts as the core identity provider, allowing IT admins to provision new VPN users with a unified set of credentials they can leverage for virtually all IT resources. For organizations embedded in their AD infrastructure, DaaS also features AD Integration, extending AD credentials to RADIUS, VPNs, and other resources which fall outside AD’s domain, and backing them with MFA.

If your organization needs to ensure that remote resource access via VPN is secured, check out this guide on how you can optimize your security through cloud RADIUS + MFA and other best practices.

Continue Learning with our Newsletter