When Should You Use a Windows RADIUS Server?
When businesses and organizations have to deal with multiple networks or complex server infrastructure devices, a central authentication mechanism is essential to control their users getting access to the network. Considering the amount of damage that could happen if the servers get hacked by unauthenticated, unauthorized or unaccountable users, security teams must implement new strategies to authenticate users and authorize their access to their requested network.
One authentication method that is designed to allow network devices to authenticate users is Remote Authentication Dial-In User Service – Windows RADIUS Servers.
What is a RADIUS Server?
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that allows for centralized authentication, authorization, and accounting (AAA). The RADIUS protocol provides network access control or remote access servers for dial-in users to communicate with a central server. Integrating a RADIUS Server into a system not only prevents private information from being leaked but also maintains the user profiles in a central database individual and assigns them with unique network permissions. It offers better security, allowing organizations to set up policies that can be applied at a single network point.
RADIUS is used to control the access for all types of networks, ranging from dial-up to wireless to VPN, even router to router connections. A RADIUS server can also be used as a proxy client to other RADIUS servers and other types of authentication servers. The RADIUS Server can run either on a UNIX or Windows server.
NPS Server in RADIUS Authentication
Network Policy Server (NPS) is Microsoft’s implementation to give IT organizations the ability to authenticate client devices through various network access points. The RADIUS protocol works with a RADIUS Server, running NPS Server on Windows, and RADIUS Client, which is a Network Access Server (NAS). The communication between the NAS and the RADIUS server is established on the User Datagram Protocol (UDP), a connectionless protocol that does not use direct connections. However, this could lead to certain issues such as availability of server, re-transmission, and timeouts that are managed by the RADIUS-enabled devices and not by the transmission protocol.
RADIUS Server Authentication Flow
The authentication and authorization process:
- With a network access server acting as a RADIUS client it conveys authentication requests to a RADIUS server that runs as a background process on Windows.
- The user credentials and access privileges are checked by the RADIUS server and compared with the information stored in the central database. The user database is either stored in a flat-file format or stored externally on an SQL Server or Active Directory Server.
- If the user credentials and privileges are found on the database by the RADIUS server, the information is passed back to the NAS. Once the NAS receives the authentication and authorization message, the user is allowed access to the network and the other applications and services.
- While the users are logged onto the server, the RADIUS Client (NAS) passes accounting requests to the RADIUS server. These requests monitor and record the activities of the users onto the RADIUS server.
The RADIUS protocol supports two-factor and multi-factor authentication (MFA) mechanisms. These mechanisms use one-time passwords or more Access-Challenge messages as well as additional messages from the client to the server. Some of the forms of authentication are Challenge-Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP) and Extensible Authentication Protocol (EAP). Integrating both authentication and authorization operations in RADIUS limits traffic flow, thereby, increasing the efficiency and security of the network.
Authenticating using Windows RADIUS Server
Other than RADIUS, there are other software and protocols used for authenticating and authorizing users; out of which Lightweight Directory Access Protocol (LDAP) is commonly used. To decide whether you need to use a windows RADIUS Server or any other protocol, one needs to understand the differences, the levels of security they offer, the network traffic of your system and setting up the services. Though both protocols perform similar tasks, they operate differently, making it hard to determine which to use.
The differences between the protocols as well as the security considerations will help you understand when to use a RADIUS Server in windows.
LDAP - Lightweight Directory Access Protocol
LDAP is a software protocol that is used to access and manage directory services through the use of Transport Layer Security (TLS). Since LDAP runs through TLS, it can encrypt user sessions between the client and server. LDAP does not support user accounting.
RADIUS vs LDAP
The main differences between LDAP and RADIUS protocols lie in how they interact over the network. While LDAP runs on a Transmission Control Protocol (TCP) to make sure that there is a reliable connection across the network, RADIUS is deployed through User Datagram Protocol (UDP), which minimizes network overhead. In other words, whereas TCP ensures a connection, but does require more network overhead, RADIUS does not ensure a connection. There are chances of errors cropping up in the server as well as intermittent timeouts. If not implemented properly, it may also make the network susceptible to replay attacks.
On a RADIUS Server, other than the password, all other user information is not encrypted. This means that sensitive user information is visible to others in the network as it is sent across in clear text. To avoid sensitive information falling into wrong hands, users need to beef up the security measures and implement additional security mechanisms. To encrypt all the user attributes, using a virtual private network (VPN) between RADIUS servers and clients is a good idea.
On its own, LDAP does not support multifactor authentication. Though many solutions exist, they require additional resources like implementing other protocols, including RADIUS.
LDAP protocols require multiple transactions between the server and the client, which can cause significant delays during user authentication attempts. However, once a user logs into the RADIUS directory server, the information is cached which can lessen login times. In comparison to LDAP, RADIUS is a simpler protocol and the speed of authentication transactions are faster, even for a large database of users.
However, since RADIUS uses UDP, if the network quality is weak, there are chances that requests may time out and have to be repeated. On the brighter side, in a RADIUS Server, as the network load is minimal, the authentication client load is lesser. Moreover, there is no need for complex settings or directory searches to take place between the user and the directory service.
However, since RADIUS uses UDP, if the network quality is weak, there are chances that requests may time out and have to be repeated. On the brighter side, in a RADIUS Server, as the network load is minimal, the authentication client load is lesser. Moreover, there is no need for complex settings or directory searches to take place between the user and the directory service.
