Organizations that leverage Microsoft Active Directory (AD) have a growing need to connect their core user identities to their WiFi network(s) as securely as possible. This can be done by enabling users to authenticate uniquely to the network rather than via a shared SSID and passphrase. This method of WiFi authentication leverages the backend directory services platform to validate user access using the RADIUS protocol and a RADIUS server.
This article will dive into a few related topics including network access security, an explanation of RADIUS, Microsoft鈥檚 version of RADIUS, integrating Active Directory and RADIUS, and a modern directory solution with native RADIUS capabilities.
Network Access Security
WiFi networks are typically secured with a single, shared SSID and passphrase, but this approach has proven to be both insecure and inefficient when it comes to providing access to your organization鈥檚 wireless network.
If your shared SSID or passphrase is complex, there鈥檚 a good chance of it regularly being written down or shared on whiteboards. Both of these scenarios present an opportunity for anybody who has access to your building to see them. In some cases, the WiFi signal reaches the building next door, the parking lot, or the sidewalk. So, when a person obtains the SSID or passphrase, they don鈥檛 even have to be in the office to gain access to the organization鈥檚 network.
Besides security risks, securing WiFi networks in this way is also inefficient. When people join and leave the organization, the passphrase has to be rotated each time, and this adds overhead and frustration both to admins and to existing employees just looking to do their jobs.
The solution to this WiFi security problem is to uniquely authenticate user access to the network. This both eliminates the need for a shared passphrase and ensures that IT won鈥檛 have to reset the password every time an employee leaves the organization.
Syncing AD with WiFi Networks Through RADIUS
This unique authentication strategy can be achieved through the use of the RADIUS protocol, which improves WiFi security and can be delivered and implemented in a variety of ways.
What Is RADIUS?
RADIUS is a network authentication protocol that requires a unique set of credentials for WiFi access instead of a shared WPA key. With a RADIUS server, users can silently authenticate to AD to ensure that resource access is secured.
Leveraging RADIUS infrastructure, however, requires intense technical integration and configuration to run properly. The RADIUS servers themselves need to be set up, and wireless access points need to be directed to route authentications through the RADIUS server. Then, the RADIUS server needs to be integrated with the on-prem Active Directory infrastructure in order to validate end user credentials before WiFi access is granted.
Beyond that, the RADIUS infrastructure needs to be constantly maintained to ensure proper operation, and often requires redundancy to avoid mishaps. This work is tedious and costly, and it introduces many moving parts, which all have the capability to fail.
Microsoft鈥檚 Version of RADIUS
To streamline some of this process, Microsoft created their own version of a RADIUS server, called Network Policy Server (NPS). While effective for connecting Windows systems to WiFi through AD, NPS and other similar RADIUS implementations such as FreeRADIUS present a couple of major issues to IT organizations.
First and foremost, by implementing these types of RADIUS servers IT organizations further entrench their infrastructure on-prem. In an era where much of an organization鈥檚 infrastructure can be leveraged from the cloud, keeping infrastructure on-prem leads to an outdated IT environment that鈥檚 harder to integrate with new, modern infrastructure. Plus, keeping and adding infrastructure on-prem means significant implementation hassles in terms of setting up and maintaining servers. Beyond that, RADIUS add-on implementations rack up overhead costs, creating a drain on IT budgets.
鈥淎ctive Directory as-a-Service鈥 and RADIUS
All of this is to say that IT admins aren鈥檛 excited about purchasing, storing, and maintaining on-prem infrastructure. Even Microsoft Active Directory is becoming less and less desirable for IT organizations because of its substantial on-prem footprint. Instead, IT admins are looking for a cloud-hosted solution such as a modern identity provider that includes RADIUS authentication capabilities. IT organizations think of this approach as an 鈥淎ctive Directory as-a-service鈥 implementation with RADIUS authentication included.
Of course, IT admins realize that there isn鈥檛 such a thing as Active Directory as-a-service which makes it a much more difficult problem to solve. There are hosted Active Directory instances, but those aren鈥檛 offered as SaaS-based services and the cloud identity management solution from Microsoft, Azure Active Directory, isn鈥檛 a cloud directory service, but rather a complement to AD.
Modern Cloud-Based Directory Services WiFi Authentication
The good news is that there is Directory-as-a-Service which is a core identity provider that includes native Cloud RADIUS authentication capabilities, and it鈥檚 called the 探花大神 Directory Platform. With 探花大神, you get to simply enjoy the security benefits that RADIUS offers without having to deal with the hassle. 探花大神 manages the security, availability, and uptime that comes with RADIUS infrastructure.
探花大神 can extend or replace AD, depending on your organization鈥檚 goals, which allows you to use 探花大神鈥檚 RADIUS capabilities across your users whether they remain in AD or not.
On top of that, with 探花大神鈥檚 open directory, each user鈥檚 credentials can be used to securely access resources other than just WiFi. They can also be used to authenticate to Linux, Mac, and Windows systems, on-prem and remote servers in AWS and GCP, LDAP and SAML-based applications, and virtual and physical file storage. With 探花大神, IT not only significantly enhances WiFi access security, but the security of the organization鈥檚 overall IT infrastructure.
探花大神, Active Directory, and RADIUS
Learn more about how 探花大神 and Cloud RADIUS fit into your IT environment, whether you鈥檙e looking to extend or replace Active Directory. You can do so by .
