What is the RADIUS protocol?
RADIUS is a network protocol that is used to authenticate and authorize user access to a network whether that is remote or on-prem. RADIUS is also the protocol used to access the infrastructure gear that runs the network. The term RADIUS is an acronym that stands for Remote Authentication Dial-In User Service.
First introduced in 1991, RADIUS has remained a powerful tool for managing network user access. To understand why, let’s take a look at the evolution of the RADIUS protocol through the years.
According to John Vollbrecht, founder of Interlink Networks and a central figure in the emergence of the RADIUS protocol, the RADIUS story began in 1987 when the National Science Foundation (NSF) awarded a contract to Merit Network Inc. to expand NSFnet (i.e., the precursor to the modern internet).
Merit Network Inc. was a non-profit corporation hosted at the University of Michigan that had been developing a proprietary network authentication protocol to connect universities throughout Michigan. At the time, most networks leveraged proprietary protocols and were exclusive in this way. The NSF contract to expand NSFnet was an effort to bring the internet to the public.
In order to do so, however, Merit’s proprietary network had to be converted to the IP-based network of NSFnet. Merit then solicited proposals from vendors to develop a protocol that could support Merit’s dial-in authentication approach but for IP-based networks. They received a response from a company called Livingston Enterprises, whose proposal basically contained the description of the RADIUS protocol. Merit Networks Inc. accepted the proposal from Livingston Enterprises in 1991, and the RADIUS protocol was born.
How Does RADIUS Work?
RADIUS leverages the client/server model for authenticating network user access. In practice, a user request for network access is sent from a client such as a user system or a WiFi access point to a RADIUS server for authentication. RADIUS servers are typically coupled with a separate core identity provider (IdP) database (a.k.a., directory service) that acts as the source of truth for user identities. Note that a RADIUS server can store user identities, but most organizations don’t opt for this route as the identity is locked into the RADIUS platform rather than being available to all types of IT resources.
As users attempt to access a remote, RADIUS-protected network, they are challenged to provide their unique user credentials that are associated with their user identity stored in the associated directory database (whether it’s cloud-based or on-prem). Once provided by the user, the credentials are then transported from the client to a RADIUS server via a supplicant (a program responsible for making login requests to a wireless network).
In simpler terms, authentication requests and credentials are sent from the user’s device via the supplicant to a RADIUS-backed networking device — think WiFi access point or VPN server. The RADIUS-backed networking device then forwards authentication requests to the RADIUS server for authentication. Upon receiving the user authentication request and credentials, the RADIUS server then validates the user’s credentials against the associated directory services database.
If the user’s credentials match the information stored in the associated directory database, valid authorizations are sent back to the RADIUS client to initiate the connection to the network. If not, a rejection notice is issued. In the case of a successful authentication, the RADIUS server can also place the user in a particular VLAN or challenge for an additional factor of access via MFA.
Get an in-depth look at exactly how RADIUS works in our Definitive Guide to RADIUS.
Modern RADIUS Limitations
The RADIUS protocol has proven to increase network security and control, but this is not without certain challenges. This is especially true for newer, cloud-forward IT organizations. For example, RADIUS has historically been an on-prem implementation that effectively required existing on-prem identity and access management (IAM) infrastructure to operate (e.g., directory server, RADIUS server, routers, switches, load balancers, etc.).
This setup can be difficult and costly to achieve. Further, on-prem identity management infrastructure has been largely focused on Microsoft Windows, with Microsoft Active Directory (AD) acting as the core identity provider. To be fair, AD does offer its own ancillary RADIUS functionality (in the form of another server called Windows Server NPS – Network Policy Server).
However, as the modern IT landscape continues to diversify, many IT organizations are moving away from implementing AD on-prem due to its numerous limitations in cross-platform and hybrid-cloud environments — especially now during the COVID pandemic with remote work being so critical.
In fact, many IT organizations are shifting their entire on-prem identity management infrastructure to the cloud with AD alternatives. This approach comes with a variety of benefits such as increased agility and reduced costs, but without anything on-prem, how do IT organizations continue to provide secure RADIUS authentication and keep their networks – whether WiFi or VPN – secure?
RADIUS Authentication From the Cloud
Fortunately, a next generation cloud-based identity and access management (IAM) solution has emerged that provides Cloud RADIUS as a microservice. This solution is called JumpCloud Directory Platform® which not only offers cloud-based RADIUS authentication, but it also serves as a comprehensive cloud-based AD alternative. This is because the JumpCloud platform is the first cloud-based directory platform to take a cross-platform, vendor-neutral, protocol-driven approach to managing modern IT networks — whether they are remote or on-prem.
By implementing this platform, IT teams can securely manage and connect users to their systems, applications, files, and – specifically as it relates to this article – networks via RADIUS regardless of platform, protocol, provider, and location. In doing so, administrators are free to leverage the best IT resources for their organization with the peace of mind that comes from knowing they can effectively manage the entire network using web-based RADIUS authentication.
Learn More About the RADIUS Protocol
If you’re seeking a comprehensive RADIUS solution, try JumpCloud’s Cloud RADIUS for free for up to ten users by simply signing up for our cloud directory platform. Your JumpCloud Free account not only gives you access to Cloud RADIUS, but also to the full functionality of the platform.
If anything else comes up, you can also contact the JumpCloud team to answer any questions (hit us up on our 24×7 premium in-app chat support during the first 10 days), or check out the following short video to learn about the best practices for WiFi security.