Dynamic RADIUS VLAN Assignment for VPN - Security Boulevard

Dynamic RADIUS VLAN Assignment for VPN

One quarter of all internet users in the world used a VPN in the last month to protect their identity privacy and their data privacy while accessing the internet. Are your organization’s users included in that stat?

You simply can’t rely on others to protect your data for you. A shocking number of sensitive records containing personal information are entirely unsecured and accessible to anyone with an internet connection.

A VPN is the solution to protecting your access, whether it’s for personal or business use. For enterprises with remote workers, RADIUS VLAN assignment is the solution to automatically segmenting your users into groups with appropriate permissions.

What is Dynamic RADIUS VLAN Assignment?

Dynamic RADIUS VLAN assignment, also called “VLAN steering”, is a complicated name for a simple process.

VLAN assignment is the process of sorting users into virtual LAN networks, which can be configured to limit access to certain network resources. Users are usually grouped by their level of permissions so a typical set up has several VLANs, each with a broader scope. For example, everyone in the accounting department should be able to access the payroll software, but not the source code for the company’s app.

The dynamic RADIUS portion of the moniker is even easier. The RADIUS server (also called a AAA server) is responsible for making the VLAN assignment. “Dynamic” just means that it happens on a per-user basis, typically at the time of the authentication.

Why Is Dynamic VLAN Assignment Important for VPN?

VLANs are important for restricting resources to only the users that require them, a concept that is fundamental to all types of security. VPNs are important for protecting the transfer of data between an end-user and (often) a remote network. When used in combination, it makes for an airtight remote access solution that can protect your network from both internal and external threats.

How to Configure Dynamic RADIUS VLAN Assignment for VPN

Whether or not you are able to configure dynamic RADIUS VLAN assignment is dependent on the RADIUS your organization is using for 802.1X authentication. Most, though not all, RADIUS servers on the market can be tuned to perform VLAN assignment.

The VPN part of the equation is more difficult, however.

The astute reader will notice that there is an intrinsic problem in using VPN to access a RADIUS for VLAN assignment, namely that a VPN should be masking all of the user information that a RADIUS would be using to determine which VLAN the user belongs in.

There are obviously workarounds to this, but most of them involve compromising the usefulness of either the VPN or the RADIUS by using inferior authentication protocols or packet sniffing.

SecureW2’s Cloud RADIUS VLAN Assignment for VPN

The only solution for dynamic RADIUS VLAN assignment for VPN that does not compromise on security is SecureW2’s Cloud RADIUS. The secret sauce is simple: EAP-TLS onboarding.

Our competitors’ reluctance to convert their infrastructure to the superior certificate-based 802.1X authentication is the reason we are the industry’s best solution for this use case. Only through the inherent, nigh-invulnerability of digital X.509 certificates is it possible to positively identify users or devices at the RADIUS without exposing them anywhere else in the process.

Through our onboarding solution, you can push a package that contains automatic configuration profiles for any device that prepares them for a foolproof self-enrollment by the user. They can use their existing credentials to be provisioned with a digital certificate signed by the root CA stored in your RADIUS.

In fact, this use case is a perfect one to display the strengths of the public-private key cryptography that is the foundation of digital certificates. The only challenge in the process is securely onboarding users, which our software handles, and then the users can be sorted into appropriate VLANs using attributes stored directly on the certificate or in the user directory.

Ready to secure your remote workers and organizational network resources at the same time? We have affordable options for organizations of all sizes, click here to see our pricing.

 

The post Dynamic RADIUS VLAN Assignment for VPN appeared first on SecureW2.


*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Patrick Grubbs. Read the original post at: https://www.securew2.com/blog/dynamic-radius-vlan-assignment-vpn/