Context-Aware Authentication with Cloud Radius
Forrester, an analyst firm’s report, suggests 80% of data breaches occur due to weak credentials. There were simpler days when data on a network was believed to be safe, but it is not so in the present. The stakes are higher now with more and more threat factors and Layer 2 attacks.
Organizations are constantly trying to secure their network through better authentication protocols. Lately, there has been much noise about two-factor and multi-factor authentication for better network security. Still, there is a lot of drag in the MFA process, making a good case for context-aware authentication.
What is Context-Aware Authentication?
Context-aware authentication may sound tricky, but it is what it says it is. Context-aware authentication adds more context to authentication by basing network access decisions on factors like user behavior, device management status, or location. The idea behind it is to establish a certain degree of confidence that it is the intended user accessing the network and not a malicious actor.
Context-aware authentication offers the following benefits:
- Context-aware authentication adds an additional layer of security in conjunction with the other security methods.
- Organizations that deal with highly sensitive information can set time-based, demographic-based, or user-based access policies for granular control over the network.
- Context-based authentication will streamline the process of monitoring the identities of users and systems closely and streamline business needs by decreasing the risk of network sabotage and malicious attacks.
How does Context-Based Authorization work?
As an organization, you can use certain conditions to restrict access to the network or resources for a certain set of users. Admins can setup access security based on one or a combination of the following conditions:
- Users geographic location
- The user’s device
- Role in the organization
- Login time
- Last login time
Context-Based access parameters are also called policies. As an admin, you can set a policy requiring multi-factor authentication for an employee who signs in from a different device than the usual one. The authentication takes place as soon as a user meets the authentication policies set by the organization.
Context-based authorization helps improve network security without putting the users at an inconvenience. It adds more context to MFA since it helps authenticate users as per the pre-set conditions.
How do you add identity context to network traffic?
Adding Identity Context with X.509 Certificates
An X.509 certificate is considered the holy grail of personal identity in network security. An admin can configure an X.509 certificate with many attributes that add identity context to an authentication request. Some common attributes are:
- SAN (actually a group of several identity-related attributes)
- UPN or an email address
- First and the last name
- Device ID, which is unique to each device in an MDM
- Group to which a user is assigned, like Human Resource or Engineering etc
- MAC address (less common now as they are often randomized
Adding device context to a network
As an admin, you can add device context to a network by collecting and utilizing any device information as devices access the network. An admin can achieve device context by the following steps:
- Identifying a device
- Collecting device information
- Implementation of a managed RADIUS
Identifying a device
The first step to add device context to a network is the ability to identify a device in a network. An admin can identify a user or a device in a network by some unique attributes like names, email IDs, and MAC addresses.
User context identifies users based on certain unique attributes like Username, Common name, SAN-UPN, and SAN-Email, whereas Device context identifies devices based on attributes like device ID, and MAC Address. When you add digital certificates to your devices, you can identify a device with its unique MAC address, name, and location, as these are stored in every certificate.
Collecting device information
After identifying a device, more information about the device is collected. To add context, information about the device, like make, model, managed or BYOD information, antivirus, and other security features activated on the device can be used.
RADIUS records account for all the user logs, authentication attempts, and event logs. This information provides valuable insights into any information related to troubleshooting and securing the network from any security threat.
Implementing a Managed RADIUS
A managed RADIUS like the JoinNow Cloud RADIUS uses device identity context to detect any unusual or malicious activity on your network. This is done by performing an identity lookup in the directory during or after authentication.
During Identity Lookup, Cloud RADIUS communicates with your Identity Provider to get the most up-to-date information on a user or device. This allows Cloud RADIUS to apply current policies, even if you haven’t been able to update or revoke a device’s certificate.
Deploying network policies
An admin can use device identity context to implement customized network policies for all the users in the organization. A VLAN segmentation is apt for segregated users based on their device type. Users with BYODs can be separated into a different network than managed services.
Device identity context is key to implementing network-based access control effectively. Identity-based access management and zero-trust network architecture, the two core components of NAC, benefit greatly when machine identity context is applied.
Monitoring user/device behavior.
With the help of a dynamic RADIUS, effective data can be collected, and any malicious activity can be terminated immediately. RADIUS also provides for Change of Authorization (CoA), which helps update the authorization or access of a user to a network after authentication.
What is the RADIUS Identity Lookup Policy
RADIUS lookup occurs during the RADIUS authentication process. SecureW2’s solution starts with the user or device requesting access to your network by presenting their certificate to Cloud RADIUS.
Cloud RADIUS then communicates with your Identity Provider to verify the most current information on that user or device and confirm any policy changes that may apply to that user or device. It provides additional security to the authentication process by guaranteeing current access policies. This is vital in scenarios where an administrator may have changed the Identity Provider, but not necessarily to certificates yet.
Implementing Context-Aware Authentication with Certificates
SecureW2 has added more value to RADIUS authentication by implementing identity context with X.509 digital certificates. Our Managed PKI enrolls managed devices through our gateway APIs and frees you from configuration woes. The managed PKI is fully configured to run out of the box, thus preventing any setup complexities. The Extended Key Usage (EKU) section specifies the purpose of the certificate instead random issuance.
Our Managed PKI can also customize policies based on identities based on attributes. The PKI describes the steps from authentication and enrolment to identity lookup and enhances access control rules. Admins can configure security policies and set up the Cloud RADIUS server to dynamically authorize users and devices to their respective groups.