A RADIUS server operates through connecting to a central database to inform who is allowed to connect to your network. It is a simple and easy-to-configure authentication solution that cannot be matched by other authentication setups. Implementing a RADIUS puts your organization on the right path to enable Zero Trust Network Access (ZTNA) initiatives by controlling who has access to which resources.
There are countless RADIUS server vendors, each with a varying degree of capabilities depending on the complexity of your authentication needs. While simple authentication may be desired, the risks involved with authentication cannot be overstated. According to the Verizon’s 2021 Data Breach Investigations Report, just over half of all data breaches leveraged default, weak, or stolen passwords.
Can Okta’s RADIUS Agent stand up to modern security threats?
Capabilities of Okta RADIUS Server Agent
The Okta RADIUS Server Agent installs as a Windows or Linux service and connects on-premise infrastructure to Okta’s cloud services. It allows organizations to delegate on-premise RADIUS authentication to Okta and allow for remote, cloud-based authentication.
Okta’s RADIUS Server Agent allows for single or multi-factor authentication and supports a number of different authentication methods, such as Password Authentication Protocol (PAP), Extensible Authentication Protocol Tunneled Transport Layer Security (EAP/TTLS), and Extensible Authentication Protocol/Generic Token Card (EAP/GTC).
Organizations whose goals include ZTNA can use the RADIUS server agent to distinguish between different apps and support them concurrently. With this feature, different apps and resources can be enabled for different user groups so when remote workers authenticate they can still be given Zero Trust-based access.
While Okta RADIUS Server Agent is ideal for organizations with servers on-premise looking to enable cloud authentication, it isn’t a complete RADIUS solution. One of the most common issues facing Okta RADIUS Server Agent users is that it forces them to have an Active Directory/LDAP server on-premise. Managing and updating an AD is a continual and demanding duty, not to mention preventing it from being compromised. And this security must be maintained while focusing on VPN authentication that doesn’t support SAML.
Okta RADIUS Server Agent and Credential-Based Authentication
A message that all cybersecurity professionals can agree on is that passwords are a weak security method. Passwords can be stolen through countless attack methods like man-in-the-middle (MITM) or brute force. They are often shared among users, leading to a greater vulnerability for credential theft and an inability to accurately gauge who is connected to which resources.
And credential best practices are extremely annoying to uphold. Users should be changing their password to something new and complex every few months, they should never share the password or write them down, and it should never be repeated across any platform. Considering the average person has 100 passwords, maintaining these best practices is a job in and of itself.
Okta RADIUS Server Agent primarily relies on credential-based authentication methods to identify VPN users. Additionally, one of the EAP methods they support (EAP-TTLS/PAP) sends authentication information over-the-air in cleartext. If an attacker successfully performs a MITM attack, they can easily farm credentials and immediately connect to the network.
Best Practices with SecureW2 Cloud RADIUS
SecureW2’s Cloud RADIUS is a complete RADIUS solution that can connect directly to Okta to provide secure authentication for both VPN and on-premise users. There’s no forklift updates to integrate Cloud RADIUS and it supports a wide variety of authentication methods.
As you might guess from the name, Cloud RADIUS is entirely cloud-based and easily scales up to accommodate a growing organization. With built-in redundancy, you will never experience slowdowns during large authentication events.
The newest feature to Cloud RADIUS is Dynamic authentication. This allows for real-time updates to a user’s settings without having to reset how that user authenticates. The Cloud RADIUS communicates directly with the IDP during authentication to adjust the resources and settings that pertain to that user, allowing for admins to always maintain Zero Trust.
While Cloud RADIUS can support credential-based authentication methods, SecureW2’s main focus is moving organizations forward to certificate-based authentication. In every way, certificates are a superior form of authentication compared to credentials.
Certificates cannot be stolen or transferred off a device and only need to be replaced at a long term expiration rate. By using public key encryption, if a certificate is stolen over-the-air, it is useless to the attacker because they will not have the private key needed to authenticate. And certificates act as de facto device trust because they identify both the user and device when authenticating. If someone authenticates with a certificate, you know without a doubt that they have been accurately identified.
If an organization wants to implement Zero Trust, certificates are the perfect authentication option to enable it. As stated above, certificates identify both the user and device so you know who is connecting. As a result, admins can create highly specific use policies that are always accurately applied to users when they authenticate.
These use policies can be applied to both on-premise and remote users, so every employee can always maintain Zero Trust. And with Dynamic RADIUS, these use policies can be applied in real-time so there is no slowdown for the end user.
Okta RADIUS Agent is a specialized service provided by Okta that can be extremely useful to organizations if their needs are met. It can allow your remote works to easily be connected to the resources they need, but compared to complete RADIUS solutions like SecureW2’s Cloud RADIUS, it may fail to meet others’ needs. Check out SecureW2’s pricing page to see if our Cloud RADIUS solutions are a fit for your organization.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Jake Ludin. Read the original post at: https://www.securew2.com/blog/is-okta-radius-server