So you decided that whatever you were using for network security wasn’t getting the job done… either it didn’t scale with the growth in your user base, devices, or network design, or it was hindering your organization’s productivity. Or maybe you suffered a security breach. Whatever the case, you decided to make the jump to RADIUS authentication, and you’ve implemented a RADIUS server.
You set it up to protect your network, including 802.1X security for your WiFi network. Everyone who needs access has sufficiently secure passwords to log in. Now you’re done, right?
Not so fast. Set it and forget it security is a dangerous approach that leaves your network vulnerable. Network security is a journey, not a destination.
Simply implementing a RADIUS server is not enough; you still have
some work to do to keep your network secure.
Let’s have a look at
the up-front and ongoing activities you need to do to maintain the
security of your RADIUS network and avoid the pitfalls of set it and forget it security.
Review your RADIUS server implementation
First, take a look at your RADIUS server implementation to make
sure you haven’t missed anything critical:
Server certificates and authentication
Do you have a Server certificate? Server certificates are necessary for client software to verify that they are actually connecting to your RADIUS server (and not a clever impostor, such as with a man-in-the-middle attack) and to establish secure access via an encrypted connection. There are several options available for obtaining these certificates, or you can create your own. Each option has advantages and disadvantages, so if you haven’t implemented one (or more) already, do your homework and get one in place.
Do I need multiple certificates? You need a certificate for each "role" that the server has. Do you do EAP-TLS, TTLS, or PEAP? You need a certificate for that. Do you do RADIUS/TLS? You need a separate certificate for that. Using the same certificate for multiple roles means that you're allowing clients from one role to access a server which has a different role. That's a security violation.
Are clients verifying your RADIUS server? The flip side to having a server certificate is setting up the client software to verify. This is normally done at the operating-system level, and many operating systems enable verification by default. However, it’s worthwhile to check your standard-issue computers to ensure they actually are verifying the server certificates when doing WiFi access.
Directory services integration
Got multiple DCs? If your organisation uses Microsoft Active Directory, your RADIUS server should be set up to authenticate users against their AD credentials. If you have more than one domain controller (DC) — and you should, for redundancy and system resilience — you need to make sure any RADIUS server configuration changes are propagated to all of the DCs, or a DC failure can cause connection problems when users try to access network resources.
The big picture: Ongoing network security vigilance
Outside the RADIUS server itself, there are a number of things you need to do on an ongoing basis to keep your network secure — the very opposite of set it and forget it.
Regular security updates
Don’t skip the security updates. Your RADIUS server software and all your operating systems have regular patches and updates to address newly discovered vulnerabilities. Too many organisations put off implementing these updates, thinking there will be some slack time when it can be done.
Pro tip: There is never any slack time, and the longer you put it off, the more time-consuming it becomes to install all the accumulated updates. If you don’t have the resources to install patches as soon as they come out, schedule a day each month or quarter for each server to be updated.
Set up security policies and standards
If your organisation doesn’t already have written security policies and standard procedures in place, now is the time. Policies for password complexity and expiration, local administrative access, shared secret management, and standard security procedures for deploying new network devices should all be written and enforced.
Use encrypted communications
Unless everything that’s important to you always stays under your own roof, you can assume that at some point your network traffic flows to networks and devices that are outside your control, such as cloud services or wide-area networks. If it’s out of your control, you can’t be certain it’s secure. Make sure the data that goes outside your building is encrypted.
Even inside of your network, you should separate user traffic from management traffic. Use a management VLAN for all RADIUS traffic.
Access management
Segregate visitor wireless access. Modern WiFi systems can enable separate access for staff and visitors through wireless access points. Your visitor access can have a separate SSID; administer separate single-use or time-limited RADIUS authentication credentials with 802.1X security. Visitors should be able to access the Internet, and nothing more. You should also filter outbound traffic for abuse.
Segregate devices. Put different types of devices into different VLANs. Restrict access to internet services only or to certain resources, such as printers or specific file shares. You don’t have to give a printer full access to the network, or the Internet.
RADIUS Accounting and monitoring. Implement proper RADIUS Accounting to track user sessions and monitor authentication methods across your network. This helps identify potential security issues and ensures your Authentication, Authorisation, and Accounting (AAA) framework is functioning correctly. Even enterprises should use accounting. Not for billing, but so they know which devices are on the network, and where they are located.
If this is all new to you, you aren’t alone. But a breach of your network is not a question of if; it’s a question of when. You owe it to your business to keep its network as secure as possible. InkBridge Networks can help not only with the implementation of a RADIUS server solution, but also with the ongoing care that’s needed to keep it secure.
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
Creating server certificates for FreeRADIUS
Once the initial EAP testing has been performed, it's time to create the production-grade server certificates for your FreeRADIUS environment. These certificates form the foundation of secure communications in your production network and will be configured on the end hosts using PEAP, TTLS, or EAP-TLS authentication.
Disaster-proof your network critical infrastructure
If you live in an earthquake zone, it’s important to engineer buildings to survive an earthquake. You don’t know when an earthquake will happen, or where exactly, or how big it’s going to be, but you know that it will happen at some point during the lifetime of the building. And the consequences of not earthquake-proofing can be deadly.