The RADIUS protocol is a popular way to secure network access among IT admins. If admins were able to leverage two-factor authentication (2FA) when using RADIUS, that security capability would be greatly increased. Are there any options available on the market for IT admins to enable 2FA using RADIUS?
RADIUS and 2FA
Before we dive into 2FA using RADIUS, let’s first cover the concepts of RADIUS and 2FA as a whole.
The Remote Access Dial-In User Service (RADIUS) protocol has been in use since the earliest days of the internet. Originally used in dial-up networks (hence its name), RADIUS works in tandem with an IT organization’s identity provider (IdP) to federate access to network resources. For many organizations in the early days of RADIUS, this IdP was usually a directory service like Microsoft® Active Directory®.
Despite the general shift of networks to wireless access, RADIUS has withstood changes and adapted to be used for securing WiFi networks. Instead of the usual shared WPA credential used to access most wireless networks, RADIUS additionally leverages a username and password that is unique to each user (usually the person’s credentials stored within the IdP if integrated). By doing so, network security is increased due to the need for unique credentials.
With the increase in phishing and other identity attacks in our day and age, authentication that requires a username and password (like RADIUS) can be potentially at risk. Sophisticated social engineering schemes and clever tactics can fool even the most savvy of users. In order to combat this, many organizations have started adding an additional step to these login processes, called two-factor or multi-factor authentication (2FA or MFA).
This additional step often uses something a user has (a time-sensitive token generated on their phone, perhaps) along with something the user knows (their username/password) to ensure that they are who they say they are. By doing so, the concept behind 2FA is akin to that of zero trust security, that is, simply using a username and password does not mean a user can be trusted. By adding a (Read more...)