How RADIUS Improves Wi-Fi Security | Wi-Fi RADIUS Authentication

As Wi-Fi networks continue to expand, they have become a popular target for hackers.  Cybercriminals have designed countless types of attacks, including man-in-the-middle (MITM) attacks, to target users on wireless networks. But with the right defensive measures and technology, such as a RADIUS server for Wi-Fi, organizations can protect their networks from attack.

A Remote Authentication Dial-In User Service (RADIUS) server for Wi-Fi protects your networks by ensuring only authorized users can access them. RADIUS servers are seeing increased use across all types of businesses due to the wide array of security benefits they offer. 

In this article, we’ll examine what a RADIUS server can do for a Wi-Fi network, how Wi-Fi RADIUS authentication works, and why organizations should consider deploying a RADIUS server for their Wi-Fi.

What Is a RADIUS Server?

A RADIUS server is an authentication server that prevents unauthorized access to wired and wireless networks, as well as VPNs. RADIUS servers are sometimes called AAA servers because they have authentication, authorization, and accounting capabilities:

• Authentication: When users or devices initially request access to the network, RADIUS servers authenticate them.
• Authorization: RADIUS servers can also reference a directory of user information to determine the level of authorization individuals should be granted once they’ve been verified.
• Accounting: RADIUS servers create RADIUS event logs that provide a detailed snapshot of the devices accessing a networking resource, as well as audit trails for regulatory compliance.

There are many authentication protocols organizations can use alongside RADIUS. These protocols typically determine how an end user or device authenticates itself. The most popular options include credential-based authentication (username and password) and certificate-based authentication.

The Key Components of RADIUS Wi-Fi Authentication

To work successfully, RADIUS Wi-Fi authentication requires a few components beyond the standard password-based Wi-Fi authentication you see in home networks. It requires an enterprise-grade wireless access point, the RADIUS server itself, and a shared secret that keeps interactions between the client and server safe.

You will also need to determine which authentication protocol you want to use alongside your RADIUS solution. The authentication protocol dictates which method users and devices will use to prove their identities when they request access.

RADIUS Wi-Fi Authentication Protocols

Organizations typically use one of three protocols for RADIUS Wi-Fi authentication:

• EAP-TLS: Certificate-based authentication
• PEAP-MSCHAPv2: Credential-based authentication
• EAP-TTLS/PAP: Credential-based authentication

What Is EAP-TLS?

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is a passwordless authentication protocol. Instead of logging into a wireless network with a username and password, the system issues digital certificates to users and devices for authentication. 

A digital certificate is like a virtual photo ID; it’s made of a template that contains a lot more information about the individual using it. One major advantage of digital certificates is that they can’t be stolen or transferred, which gives administrators a much higher degree of certainty about who’s actually on their network.

Certificate-based authentication requires a Public Key Infrastructure (PKI) to manage and maintain certificates, which can be a significant barrier to entry. But with the right tools, such as onboarding technology, modern PKIs are now much easier to implement than they were in the past.

What Is PEAP-MSCHAPv2?

Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2) is a common credential-based authentication protocol. It offers some improvements over previous iterations, such as using an encrypted EAP tunnel when passwords are transmitted over the air.

The biggest flaw of PEAP-MSCHAPv2 is its dependence on passwords. Even with some improvements over its predecessors, it’s still a vulnerable authentication protocol based on a hashing algorithm that has been compromised for decades. Even Microsoft has recommended that organizations consider certificate-based alternatives to PEAP-MSCHAPv2, such as EAP-TLS.

What Is EAP-TTLS/PAP?

EAP-Tunneled Transport Layer Security/Password Authentication Protocol (EAP-TTLS/PAP) is a credential-based protocol that requires devices to verify a server certificate before connecting to a network to make sure they don’t connect to the wrong one. After verification, the device sends the user’s credentials through an encrypted EAP tunnel, much like with PEAP-MSCHAPv2. 

Unfortunately, it’s easy to misconfigure devices for EAP-TTLS/PAP, and a single mistake can lead to end users sending their usernames and passwords over the air in a cleartext format, which is easy for a hacker to intercept.

How Does RADIUS Wi-Fi Authentication Work?

How RADIUS works with Wi-Fi security varies depending on the authentication protocol your network uses. In credential-based authentication protocols, credentials are sent to the RADIUS server (generally via a protected tunnel), and the RADIUS server verifies them against the directory before granting access. The directory is usually an Identity Provider (IdP), such as Entra ID, Active Directory, Google, or Okta.

With EAP-TLS, the process is a little different. The device starts by verifying the authenticity of the RADIUS server’s certificate. This prevents the user from authenticating and connecting to the wrong network, which is common in Evil Twin AP attacks. Next, the device sends its certificate to the RADIUS server, which checks whether the certificate has expired.

With the SecureW2 Cloud RADIUS platform, there’s an extra step. Cloud RADIUS integrates with all major cloud identity providers. During authentication, it can communicate directly with IdPs such as Azure AD (Entra ID), Okta, Google, or OneLogin to verify a user’s existence once their certificate’s validity is confirmed. This ensures that the system applies the most up-to-date access policies; even if you haven’t revoked the certificate yet, the user will be denied access if they’re deactivated in your IdP. Credentials aren’t sent over the air at any point during this process, protecting them from exposure.

What Are Some Common Use Cases for RADIUS Wi-Fi Authentication?

Organizations in virtually every industry need to authenticate users and devices, determine authorization levels for each logged-in user, and track devices from a central location. RADIUS Wi-Fi authentication delivers all these capabilities. That’s why organizations across a wide range of environments use this technology.

RADIUS Wi-Fi for Enterprise and Corporate Networks

Organizations often use RADIUS Wi-Fi security to support their bring-your-own-device (BYOD) programs. Rather than issuing pre-shared keys (PSKs) that leave networks vulnerable to attacks and mismanagement, companies deploy a RADIUS server for Wi-Fi to let employees connect their personal devices by using their directory credentials. Once users are on the network, VLAN segmentation capabilities within RADIUS can keep employees and contractors on separate network segments. 

RADIUS Wi-Fi for Healthcare Organizations

The Health Insurance Portability and Accountability Act (HIPAA) has serious implications for Wi-Fi security at healthcare organizations. Many organizations rely on WPA2-Enterprise with 802.1X authentication to help them protect patient data from unauthorized access. RADIUS accounting logs provide a detailed audit trail of the specific network resources each device accesses, which is essential supporting information for passing a HIPAA audit.

RADIUS Wi-Fi for Higher Education

Many higher education organizations use RADIUS to help them authenticate thousands of users at once. The Eduroam service — which lets traveling students, faculty, researchers, and staff access the internet securely at participating campuses in 100 countries — uses 802.1X authentication and a linked hierarchy of RADIUS servers to verify users through credentials provided by their home institutions.

RADIUS Wi-Fi for Multi-Site Enterprises

Companies with multiple facilities can use RADIUS to manage authentication policies centrally. Working from a single RADIUS infrastructure, rather than on separate configurations in each office, IT teams can perform tasks such as revoking a departing employee’s network access or authenticating guest users on the network.

How to Set Up a RADIUS Server for Wi-Fi

Although details may vary from platform to platform, the general steps include the following:

1. Select and install RADIUS server software. You can implement on-premises or use a cloud-based RADIUS service.
2. Register each wireless access point as a RADIUS client. Your access points will then act as intermediaries between end-user devices and your RADIUS server.
3. Select an EAP method. Choose between EAP-TLS, PEAP-MSCHAPv2, and EAP-TTLS/PAP. 
4. Define your network access policies. Configure policies that give authenticated user groups appropriate levels of network access.
5. Configure each access point for WPA2/WPA3-Enterprise. You’ll also need to direct each access point to your RADIUS server’s IP address.
6. Enable RADIUS accounting and test your connections. RADIUS accounting will log all your session data, giving you valuable insights for troubleshooting and compliance reporting.

How to Avoid RADIUS Wi-Fi Implementation Challenges

Although RADIUS technology has proven its reliability over the years, some IT teams do run into problems during implementation. Use these strategies to maximize your chances of a successful go-live:

Configure All Certificates Carefully

Authentication often fails because a client device doesn’t trust the certificate authority (CA) that issued the RADIUS server’s certificate. Be sure to distribute this root CA certificate to all client devices before you attempt certificate-based authentication. Also, make sure you renew all your RADIUS server certificates before they expire — otherwise, you’ll experience sudden authentication failures across your network.

Set Up More Than One RADIUS Server for Wi-Fi

If your single RADIUS server goes down, all wireless users will lose network access. Consider establishing RADIUS redundancy, in which another RADIUS server takes over when the primary server fails or is overloaded. Having more than one RADIUS server helps you avoid the security risks that come with downtime. 

Make Sure Firewalls Aren’t Blocking RADIUS Traffic

RADIUS authentication and RADIUS accounting use UDP ports 1812 and 1813, respectively. These ports must be open on any firewall between your access points and your RADIUS server. Otherwise, a firewall that separates your subnets will simply drop RADIUS packets.

Verify That NTP Is Working

Verify that Network Time Protocol (NTP) is working correctly on your RADIUS servers and on all client devices. NTP helps synchronize the clocks on all devices on your network. If a device’s clock is off by more than a few minutes, it may determine that the current time doesn’t fall within the validity period of the RADIUS server’s certificate. This discrepancy will prevent authentication.

Check for Shared Secret Consistency

If the shared secret isn’t identical on the RADIUS server and on the access point, all authentication attempts through that access point will fail. One way to ensure consistency while reducing security risk is to generate shared secrets at random and store them in a secrets manager.

The Security Risks of Credential-Based Wi-Fi Authentication

While using credentials for Wi-Fi authentication is typically one of the simplest routes, it’s far from the most secure. Organizations tying their Wi-Fi to passwords expose their networks to many risks, including:

• Vulnerability to over-the-air attacks: Man-in-the-middle attacks, evil twin AP attacks, and other over-the-air attacks trick end users into sending their credentials to the wrong place. Malicious actors can then use these credentials to gain unauthorized access to your network.
• Password mismanagement: Remembering passwords is a hassle, so users often reuse them or use simple, insecure passwords that are easy to guess. Shared network passwords, such as pre-shared keys (PSK), can easily be shared outside your organization.
• Poor end-user experience: Juggling dozens of passwords is frustrating, and it becomes exponentially harder when organizations implement policies such as frequent password updates and specific password complexity requirements.
• Increased IT workload: When end users forget their passwords, they need to contact your support team to regain network access. Besides being annoying for end users, who experience a drop in productivity while they wait, this is time-consuming for your IT department.

Benefits of Certificate-Based Authentication & RADIUS Servers for Wi-Fi

The alternative to password-based authentication is certificates. Using certificates for user authentication provides a range of benefits, especially when combined with the security of a RADIUS server:

Improved Security Based on Cryptography

Certificates use robust asymmetric encryption to prevent the open transmission of sensitive data over the air. Each certificate consists of a private key and a public key, which are mathematically linked to one another. Because the system is no longer sending credentials to your wireless access points, many attacks are prevented. Even if the attackers intercept a certificate, they cannot use or transfer it, since the private key is never sent over the air.

Enhanced Ability to Enforce Granular Network Access Control (NAC) Policies

You can use a PKI along with a RADIUS server to leverage information from your infrastructure, including your directory services or mobile device management (MDM) platforms. Certificate templates contain information from sources such as your identity provider and MDM, and you can apply that to your network access policies. For example, you can segment your HR employees from your DevOps employees who may need more bandwidth.

Easier End-User Login Experience

Passwordless authentication offers a better experience for your end users while enhancing security. It saves users time since they won’t have to spend time re-entering or remembering complex passwords. Certificates allow end users to connect automatically, with a quicker authentication process.

Ability to Integrate With Your Existing Network Infrastructure

Both RADIUS and PKI can integrate with your network infrastructure, including IdPs such as Microsoft Active Directory, Azure AD (Entra ID), Google, and Okta. SecureW2 Cloud RADIUS integrates seamlessly with your identity provider through the Identity Lookup process, which verifies a user’s status in real time during each authentication.

Why Choose Cloud-Based RADIUS?

For decades, organizations have used on-premises RADIUS servers to manage access, authorization, and accounting on their Wi-Fi networks. Despite the many benefits of on-premises RADIUS, it comes with potential drawbacks. Organizations must:

• Provide a dedicated operating system to patch
• Put a RADIUS server and identity infrastructure in every office that needs low-latency authentication
• Maintain RADIUS software 
• Build and operate a high-availability architecture 
• Hire an in-house team that can troubleshoot authentication failures on short notice

In recent years, organizations have begun achieving the benefits of RADIUS without the overhead by implementing cloud-based RADIUS solutions. With cloud RADIUS:

• A provider handles infrastructure provisioning, OS patching, high availability, and failover as a service
• The organization maintains control over authentication policies and connects access points
• Multi-site organizations can enforce policies consistently across locations
• Policy changes go out to all locations immediately

Cloud-based RADIUS depends on internet connectivity to work, and it may not be an option for organizations legally required to handle all data on-premises. But for many organizations, especially those that already use cloud-based identity providers, it’s an appealing option.

SecureW2 Makes RADIUS Server & PKI Security for Wi-Fi Accessible & Simple

While RADIUS server configuration and setup isn’t usually intimidating for organizations, implementing a PKI can be. We often hear administrators say the more they’re involved with a PKI, the less they want to manage it.

Fortunately, with the right platform, deploying a PKI and RADIUS doesn’t need to be challenging. The SecureW2 JoinNow Platform is a passwordless authentication suite that provides organizations with everything they need to deploy passwordless security for their wireless networks. 

Our suite includes Cloud RADIUS and Dynamic PKI. We designed both solutions with vendor neutrality in mind, integrating with a wide range of vendors. With the SecureW2 JoinNow Platform, you can manage and automate the entire certificate lifecycle and create granular network policies — all from one location.

See for yourself how RADIUS and Wi-Fi security looks in action. Contact our expert solutions engineers today to schedule a demo.