By Vince Lujan Posted October 25, 2017
WiFi is all around us. It has become an essential IT resource in the modern office and in our personal lives. With so many modern devices sending and receiving information via WiFi at any given moment, it’s a marvel how our devices make sense of it all so quickly.
Yet, while WiFi has revolutionized the way we access information worldwide, WiFi authentication has also introduced new security risks. The challenge for IT today is securing their wireless networks, ensuring that only the right people are authorized for access. We’ll explain how this is possible by using the RADIUS protocol, but first we’ll take a step back and answer the question, “What is WiFi authentication?”
From Wired to WiFi
WiFi has a long and fascinating history stretching back to the 1970’s, which was largely experimental until the term WiFi was coined for commercial use in 1999 and subsequently distributed worldwide. Prior to that, systems communicated by network cables physically attached to their systems.
There were a few approaches to authenticating user identities to gain access wired networks. However, there wasn’t a standard for users authenticating for access to networks until Microsoft Active Directory® (AD) was released in 2000.
AD was built to manage on-prem infrastructure including managing access to wired networks. AD accomplished this by implementing a domain controller, which was essentially the gatekeeper controlling access to the network.
This approach was great for wired networks. However, WiFi also began to take off around the year 2000 and brought about major changes throughout the industry.
The Challenge with WiFi
The trouble with WiFi was that it presented new challenges for authenticating user identities. Users no longer needed to be physically tethered to the network by cable. Instead, users could wirelessly access the network from anywhere in range of the wireless access point (WAP).
AD, which was new at the time, struggled to control access to these resources operating outside of the AD domain. Thus, presenting a security risk as IT admins could no longer authenticate user identities with traditional approaches.
There were a few paths to solutions at this time. One was to separate the WiFi network and enable it to access the Internet. If you needed to access on-prem applications or resources, you would VPN into the network just as if you were remote. In this case the solution for WiFi authentication was the implementation of the SSID and password which was shared across any users of that particular network. In this case, there wasn’t really a connection to the main network even though the WiFi network was located alongside the internal network. It operated more as a separate network for a variety of reasons.
Another path is to simply leverage an SSID and passphrase and let anybody on the network that has that. Subsequently the user could authenticate to the directory service, but even if they failed the authentication, they would still have access to the WiFi network.
Yet, another path was to leverage the RADIUS authentication protocol to auth access to the WiFi network which would subsequently authenticate access with Active Directory. The RADIUS server was the intermediary between the WiFi access point and the core identity provider. RADIUS was able to speak to the WiFi access points and then translate for the directory to authenticate user access. Of course, the downside of this approach was more servers, more integration, and more configuration on end user devices.
Secure WiFi Authentication with RADIUS
Today, the SSID and password model is still the most widespread approach to controlling access to a particular network. While effective at keeping the majority of unauthorized users out, it is far from a perfect system as it does not restrict access on an individual basis.
Instead, it is not uncommon for the SSID and passphrase to be shared across multiple users or posted in a public area. This café style access is great when it comes to convenience, but not when it comes to security.
For example, former employees often retain access to the network and attached resources long after they shouldn’t, and once the secret is out it is difficult to restrict access beyond changing the password. While changing the password sounds simple enough, this approach can become a real pain as organizations start to scale. As a result, IT admins have again found themselves in need of a better way to manage access to networks – it’s just wireless this time.
Interestingly, RADIUS has re-emerged as the preferred option after being adapted for wireless implementations. RADIUS is a networking protocol that was initially designed for authenticating dial-in users back in the days of wired networks.
RADIUS was repurposed for use with WiFi, and has become a preferred option for a lot of organizations. The concept works in much the same way as it did for wired networks. The primary difference being that instead of turning off ports on the LAN switch, RADIUS authentication restricts access to wireless networks.
WiFi Authentication with RADIUS-as-a-Service
Directory-as-a-Service® elevates RADIUS to the next level by moving network access management to the cloud. The key advantage is that IT admins can now manage network access remotely from anywhere with an internet connection.
Further, since JumpCloud delivers RADIUS-as-a-Service, IT admins don’t even have to go through the trouble of setting it all up. They simply point their wireless access points at the JumpCloud managed RADIUS server and provision access on an individual basis. Then, users can leverage their unique JumpCloud credentials to gain access to the network – the same credentials used to authenticate against the entirety of an organization’s IT resources.
The benefit for IT is additional WiFi management capabilities, including the ability to revoke individual access to an individual user at a moment’s notice. This is a major boost to organizational security. End users also benefit because they have one less password to remember and do not have to worry about sharing login credentials with anyone else. The best part is that WiFI authentication with RADIUS is but one small part of the greater Directory-as-a-Service platform.
Directory-as-a-Service goes much further to provide seamless management capabilities for user identities, systems (e.g. Windows, Mac, Linux), applications (e.g. SAML, LDAP), directories (e.g. Active Directory, Office 365, G Suite, LDAP), authenticating against file servers using Samba, GPO-like capabilities with commands, and much more. All of which is secure, reliable, and accessible from anywhere with an internet connection.
To learn more about what WiFi authentication is and how JumpCloud’s RADIUS-as-a-Service can benefit your organization, drop us a note. You can also sign up for a free IDaaS account and secure your network today. Your first ten users are free forever.