RADIUS as a Service (RaaS) without LDAP Dependency
Every month, hundreds of really smart IT and Security professionals reach out to us and ask us the same question:
“How do I connect my Cloud Identity Provider (Azure, Okta, Google..etc) to my RADIUS Server?”
Some people propose using LDAP as a means to connect their RADIUS Server to their Cloud Identity Provider. But this often means maintaining duplicate Identity Providers, hosting servers on-premise, and honestly is just plain difficult to set up.
Luckily, there is Radius as a Service (RaaS) providers that work directly with Cloud Identity Providers and don’t require dependence on LDAP protocols or servers.
Why Shouldn’t LDAP be used for RaaS?
While LDAP is still an effective and widely used protocol, there are two main reasons why organizations prefer other protocols when it comes to RADIUS Authentication.
- RaaS using LDAP typically relies on having an on-premise Identity Provider.
- LDAP was necessary for password-based protocols but is not necessary for passwordless authentication such as EAP-TLS.
First, we will start with why there is an industry shift towards Cloud Identity Providers.
Why RaaS with Cloud Identities is the Future
Cloud Identity Providers like Okta, Azure, Google, and many others have become fundamental pieces of a Zero Trust security architecture. They allow you to use all sorts of attributes to quickly make complex security decisions. While it’s straightforward to control application access with most IDPs, controlling network authentication is not a trivial feat.
While many know how to configure network authentication with an on-premise Identity like Active Directory, there are several reasons why most organizations are moving away from their on-prem servers:
- Scalability
- Physical Server needs (installation, space, infrastructure, configuration, IT team)
- On-site dangers
- Active Vulnerabilities
- Hassle of maintaining and updating systems
And the list goes on…
When you use a RaaS that is designed to talk to your Cloud Identity Provider natively, like Cloud RADIUS, you can extend your policies to Wi-Fi and VPN authentication in real-time.
In addition, when used in conjunction with certificates, you can identify which devices are trusted, and make decisions like VLAN assignments based on Device Trust. There are several other reasons why organizations are moving to Passwordless RaaS, so let’s talk about that next!
Passwordless RaaS… is Also the Future!
One of the main reasons behind the LDAP protocols design was to authenticate user and device identities using passwords. It served as a way for a RADIUS Server to constantly communicate with the on-premise Identity Provider and validate the credentials provided by the user/device were accurate, and that the user/device still existed.
But with most organizations opting to use passwordless forms of authentication, such as Digital Certificates, LDAP is not necessary for RADIUS authentication anymore. Now, there are protocols such as SCEP, SAML, and OAuth that do a better job of verifying identity than LDAP.
The above diagram is how the solution works at a high level. Most often, customers want to use the SCEP protocol to enroll all their managed devices for certificates. Other times, they will use SAML to enroll their unmanaged devices, using our JoinNow MultiOS self-service software. Lastly, our Cloud RADIUS RaaS will use OAuth on an ongoing basis to validate user/device identities in real-time and change authorized access depending on the results of the lookup.
RADIUS as a Service (RaaS) without LDAP Dependency
In conclusion, it is very possible and actually preferred by most organizations to use a RaaS platform without LDAP. It’s more secure, costs less to set up and manage, and enables secure passwordless authentication.
If you’d like to learn more about how your organization can architect a solution like this, reach out to us today and one of our Engineers will happily answer any questions you might have.