RADIUS Server User Management Best Practices
Proper user management is a critical part of maintaining a strong, secure RADIUS server. It’s vital that you have a tab on all of your users so you can maintain a strong security perimeter.
Fortunately, most major user management concerns can be ameliorated with a robust management suite, like the one provided by CloudRADIUS.
Here are the best preemptive solutions to common problems we see for customers setting up or maintaining RADIUS servers.
What is RADIUS Server User Management?
The name says it all. User Management is the process of configuring your RADIUS server to control who has access to what.
A good RADIUS Server user management toolbox has everything you need to easily and effectively manage users and maintain security:
- Generate, configure, and revoke user profiles and permissions
- Customizable group policies
- Identity lookup with active/inactive status information
Currently, the most common method of managing users in an organization is using Microsoft Active Directory (AD) with the LDAP protocol. Another very common method is using a newer, cloud-based Identity Provider (IDP) (like Google Apps or Okta), which uses the SAML protocol to communicate with applications.
RADIUS User Management with Active Directory & LDAP Servers
Integrating AD with your RADIUS Server is straightforward, but limits your infrastructure options. Using AD to manage users for RADIUS authentication require s hosting your directory on-premise. We’ve seen many customers have issues when they try to migrate from AD to the Azure cloud, as it requires third-party vendors like SecureW2 to support WPA2-Enterprise.
A pretty common legacy setup we see in the field is using an Active Directory paired with Enterprise RADIUS Servers like Cisco ISE or Aruba CPPM. The most commonly used authentication protocols are PEAP-MSCHAPv2 and EAP-TLS, although more and more organization’s have been choosing the latter.
Both PEAP and TLS support a very helpful user management tool called “Identity Lookup”. Configuring Identity Lookup makes the RADIUS server look up the users identity in the directory during the authentication process in order to see if they are still an active/valid user. This is a unique attribute that allows organizations to easily deny network access to users without having to delete them from the directory.
EAP-TLS has a few other mechanisms that make managing users really easy. Most PKI providers offer the ability to revoke users’ network access by appending them to a Certificate Revocation List. CRLs are periodically downloaded to the RADIUS Server and contain a list of all the certificate serial numbers that the organization has decided to revoke network access. During the authentication process, the RADIUS Server will first check the certificates serial number to make sure it’s not on the CRL before authorizing network access.
RADIUS User Management with SAML-Based Identity Providers
Integrating your RADIUS Server with SAML-Based IDPs (Google, Okta, PingOne) is much less straightforward, but it doesn’t lock you into using one vendor for your infrastructure.
For EAP-TLS authentication, the integration process requires creating a SAML application in the Identity Provider and sharing metadata and a couple unique URLs with the PKI. Then the SAML token is used to enroll users for certificates after their identity has been verified.
Unlike AD setups, most RADIUS servers don’t support user lookup for SAML-Based IDPs like Google, Okta, and Azure AD. As part of our new Dynamic RADIUS service, SecureW2 can enable your RADIUS server to check user attributes stored in cloud IDPs, enabling runtime level policy decisions.
Dynamic RADIUS User Management
SecureW2’s unique Dynamic Cloud RADIUS makes user management easier than ever. Instead of an emphasis on managing digital certificates, which is the typical strategy for EAP-TLS WPA2-Enterprise networks, Dynamic RADIUS enables the RADIUS to reference any cloud directory (Azure, Okta, Google, etc) and make policy decisions based on user attributes.
These runtime-level policy decisions vastly reduce the complexity of user management by reducing reliance on certificates as a tool for policy enforcement and user segmentation.
Want to learn more? Read about the benefits of Dynamic Cloud RADIUS here.
Tips for RADIUS User Management
1. Use digital certificates
User management relies on being able to accurately track users, a task which their credential-based counterparts regularly fail to perform.
It’s all-too-common for people to “lend” others their login information or to create a “shared account” for access to a specific service or application. That undermines the purpose and effectiveness of RADIUS and user management in general.
In contrast to credentials, digital certificates are tied to the identity of a person or device and can’t be dissociated from it. There’s no way to “share” your login if you’re using a certificate for authentication. That means increased accountability for users – the plausible deniability that shared passwords and accounts lend is gone.
Despite that, employees will like the increased convenience that certificates provide. A person with a certificate doesn’t need a password or PIN to authorize themselves, nor do they need to reset their password every 90 days – certificate lifetimes are measured in years, not weeks.
2. Use a Device Onboarding Tool
It’s simple, really. Without an automatic enrollment process, every new user and device has to be manually onboarded to the network. That process can’t be trusted to the layman, and it’s incredibly time consuming for IT. For any organization large enough to utilize a RADIUS server, that’s already too many people and machines to register one-by-one.
Fortunately, CloudRADIUS’s parent company, SecureW2, has a world-class device onboarding solution that can enroll users and devices for RADIUS authentication instantly. Once deployed, the JoinNow MultiOS Solution allows users to self-enroll with a quick and painless automated process.
If time and effort saved isn’t enough to convince you, consider the dangers of potential misconfiguration. The best outcome of misconfigured network security is that users can’t access the internet… The worst outcome is that anyone can access it.
When users are left to configure their own devices, they often omit a few key settings that are required to maintain effective network security. One of these settings, Server Certificate Validation, ensures that devices only authenticate to the legitimate RADIUS Server. Devices can still use the network if they forget this setting, but they are now incredibly susceptible to Evil Twin Access Points and Man-in-the-Middle attacks.
Using device onboarding software ensures that these types of settings aren’t omitted and eliminates the risk Over-the-Air credential theft. Eliminate the security risk and the IT burden by using automatic device enrollment for RADIUS server authentication.
3. Keep an up-to-date CRL
Assuming you’re using certificate-based authentication for the strongest possible network security, maintaining a CRL is vital. During the authentication process, the CRL is one of the first things the RADIUS server checks against to be sure that the certificate being used is valid.
Having a certificate authority without an accompanying certificate revocation list is a dangerous proposition. A CRL is what gives you the ability to actually ‘revoke” certificates – otherwise, all you can do is wait for them to expire. There are lots of use cases in which revocation is preferable or necessary to expiration:
- A device is lost or stolen
- An individual leaves the organization
- An intermediate root CA is compromised
Since a CRL is trivially easy to set up, there’s no excuse not to have one. SecureW2’s complementary PKI services include an automatically generated and updated CRL. All of your certificates can be managed from the intuitive and simple management portal, and any revoked certificates are automatically sent to the CRL.
CloudRADIUS is the Best RADIUS Server User Management Solution
Good user management is the key to secure and effective RADIUS, and our solution puts all the control in your hands. You can customize every aspect of your RADIUS and PKI with our powerful, single-pane dashboard management interface.
Features include:
- Ability to see who your RADIUS authorizes in real time,
- Logs that record user and device authentication history.
- Comes backed by SecureW2’s Best-in-Class Device Onboarding and Managed PKI Services
Most importantly, Cloud RADIUS is the only solution in the industry that won’t leave you vulnerable Over-the-Air credential theft. CloudRADIUS and SecureW2 have affordable options so organizations of all shapes and sizes can protect their users and improve their network security. Check out our pricing today to see how you can improve your Security ROI.