By Vince Lujan Posted May 21, 2019
Is it possible to have multi-factor authentication or MFA for RADIUS networks? As more IT organizations leverage the RADIUS protocol to authenticate users to VPNs, many would benefit from the added security of RADIUS MFA.
The good news is that there are solutions available that can deliver MFA for RADIUS and do so as a cloud-based RADIUS-as-a-Service. In doing so, IT organizations can level up security for RADIUS networks with MFA, without anything on-prem.
Let’s take a closer look below.
Overview of RADIUS and MFA
RADIUS and MFA have actually been around for a long time. Both of which, have been adapted to a wide variety of use cases and methodologies.
The RADIUS protocol, which stands for the Remote Authentication Dial-In User Service, was introduced in the early 1990s as a means of enhancing security for dial-up internet access. Traditionally, IT admins and DevOps engineers leveraged RADIUS servers in conjunction with their on-prem network access points and core identity provider (IdP) for computer networks.
For this use case, a dedicated RADIUS server (most commonly FreeRADIUS) is integrated into the existing network infrastructure by connecting it to a network access point or virtual private network (VPN). The RADIUS server is subsequently connected to the core directory service or IdP, which has historically been Microsoft® Active Directory® (AD).
In doing so, users are prompted to provide their core user credentials to gain access to a RADIUS-enabled network—rather than a shared SSID and passphrase, for example. As a result, network access is more secure because users must leverage their unique user credentials to authenticate, which are managed by IT administrators.
Developed in the late 1980s, MFA was initially used in the financial services space for chip-and-PIN credit card payments and ATM machines. In this use case, MFA leverages something that you have (e.g., a physical credit/ATM card) and something that you know, such as your personal identification number (PIN).
MFA for modern computer networks works in much the same way; by leveraging something that you know (i.e., your password) and something that you have, such as a hardware token or smart phone in more modern implementations. With this approach, IT admins generally need to integrate a dedicated MFA solution with their core IdP.
In doing so, IT organizations can leverage the core IdP to authenticate core user credentials and secure MFA tokens. As a result, IT admins can effectively add an additional layer of security to the RADIUS authentication workflow that is more or less convenient.
So, How Do You Implement RADIUS MFA?
Fortunately, as more IT infrastructure moves to the cloud and shifts away from a Microsoft foundation, so too has the implementation of RADIUS and MFA. Now, a SaaS RADIUS service is eliminating the need for an on-prem RADIUS and directory services infrastructure. Called Directory-as-a-Service®, this modern identity provider is integrating a wide range of identity services into one cloud hosted platform.
As part of the RADIUS authentication path—namely for VPNs—IT admins and DevOps engineers can add multi-factor authentication. In doing so, end users will simply input their MFA token, generated by an MFA authenticator such as Google Authenticator or Microsoft Authenticator, in addition to their core user password. As a result, network security is enhanced significantly and helps IT organizations ensure that only the right people are accessing their VPN infrastructure or RADIUS-enabled networks.
Deploy RADIUS MFA Today
JumpCloud RADIUS MFA is currently in early access (EA) for paying customers only. Please email firstname.lastname@example.org or reach out to your account manager to request EA to RADIUS MFA. Sign up for a JumpCloud account and check out everything else JumpCloud has to offer free for up to 10 users.