RADIUS can be an alternative to implementing 802.1x for network access control in complex enterprise environments.
Controlling which users and what devices are on your network has become significantly more complex in the current corporate environment. Network administrators must adapt to wireless access, remote working, bring-your-own-device scenarios and cloud computing. Each employee could have multiple devices using different operating systems.
In this environment, 802.1x and RADIUS would be the gold standard for network access control, but 802.1x can be challenging to implement at an enterprise level. The surprising bit is that the RADIUS configuration is relatively simple, while the problematic portion is configuring the wide variety of end-user devices.
Is 802.1x necessary?
What we colloquially call 802.1x is IEEE 802.1X, a global standard for port-based network access control. It is a network authentication mechanism that allows devices to connect to either wired or wireless local area networks (LAN). This protocol has an important security function, but many organizations are not using it due to the how hard it is to implement. I would recommend it for an enterprise network. While it is possible to run networks without it, the result is a network which is much less secure.
With the mix of Windows, Apple, Android and Linux we find in corporate settings, a lot of enterprises may shy away from 802.1x because it is challenging and time consuming to configure the end-user devices on multiple platforms.
There is software that will assist you to set up devices for each operating system and even some multi-platform tools. Unfortunately, mostof that software is expensive. Is it really worth paying a few dollars per month per user, just to allow them to access the network?
Before choosing to implement 802.1x for network authentication, administrators should consider:
- How many devices will be connecting to the network,
- What is the mix of operating systems on client devices,
- What is the vendor mix of network switches (for wired networks)
- Manual setup instructions for client-side set-up have proven to be error-prone, and time-consuming.
Why is 802.1x needed?
You could compare 802.1x to a security guard that checks who’s on the guest list and only opens the door to authorized users. RADIUS and 802.1x work together to stop rogue devices and users from accessing a corporate network. A RADIUS server authenticates the user, and opens the network port once the user has been authenticated.
It is understandable, but troubling that many companies are not deploying 802.1x and being lax about their network access control.
Here are two scenarios that illustrate why 802.1x or RADIUS are needed to secure your network from opportunistic strangers or disgruntled employees.
- If the pizza delivery person wanders into the boardroom or meeting room after dropping off your food, and plugs a device into a network port, is he/she able to get on the network? The only acceptable answer here is “no”.
- If you let an employee go, are they going to able to connect to the company Wi-Fi network from the parking lot? A disgruntled and tech-savvy employee could download basic hacking tools and take down the company network. A less skilled employee could simply have the printers print out incriminating letters “from” the CEO expressing his romantic interest in the staff. It doesn’t take a hacker to cause corporate destruction!
Microsoft has also left plenty of vulnerabilities in its systems, and exploits for them are available on the Internet. An upset employee may not be able to break into your network and steal data, but they can still cause major headaches.
If you know how, you can use RADIUS to perform some of the functions of 802.1x and lock down your network.
Alternatives to 802.1x for network authentication
There are workarounds to avoid using 802.1x for network access control. One option is to use a VPN on top of an insecure WiFi LAN. In this scenario, network access points are placed outside the company’s firewall and users come in through a VPN gateway, similar to what they would do as a remote user.
Another option is to use RADIUS to do some machine authentication, such as MAC address authentication . That can at least partially lock down your network so that only known devices are allowed on. When employees retire or leave the company, their devices are removed from the database, and they can no longer access the network.
If you don’t have RADIUS handling network authentication, talk to our RADIUS experts about designing and implementing a solution to secure Wi-Fi access to your network.
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
Wi-Fi Security With RADIUS
When setting up a Wi-Fi network at home, you typically set up an SSID and password, accept the defaults for any other options, and be done with it. (In some cases, these are done for you by your service provider — you don’t even have to think.) You share the password with family and visitors, and everyone is happy.
TP-Link Investigation Highlights IT Hardware Risks
Concerns that the People’s Republic of China could exploit Chinese-built networking and communications equipment to attack North American businesses and infrastructure are making news again.