RADIUS protocols overview
Quick overview of RADIUS and authentication protocols.
What is RADIUS?
Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly used for authenticating users onto a local network or VPN. It is an application layer protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol.
Without RADIUS users log into a Wi-Fi network using a shared password. With RADIUS, they log into the network using an individual username and password. Moreover, user authentication can be further strengthened by enabling MFA or certificate-based authentication. One tricky thing about RADIUS is that it can utilize multiple different types of protocols to authenticate users (PAP, CHAP, EAP-TLS, etc.). While the flexibility can be helpful, some of these protocols have been exploited and are now considered insecure.
What is Extensible Authentication Protocol (EAP)?
Extensible Authentication Protocol (EAP) is an authentication framework for network connections. Originally during the times of Point-to-Point Protocol (PPP) connections we could authenticate users only with insecurely transmitted passwords or password hashes, such as PAP and CHAP protocols. These were authentication protocols that were vulnerable due to weak methods of password encryption and transmission. EAP was originally developed to work inside PPP protocol to extend the authentication methods to more secure ones - add certificate authentication, provide TLS encryption, and more.
What is 802.1X?
IEEE 802.1X is a modern standard that provides an authentication framework for networking connections. For example, if you are deploying a Wi-Fi network today, you can leverage 802.1X to authenticate your users to Wi-Fi network with individual credentials leveraging idemeum Cloud RADIUS service. 802.1X takes EAP authentication protocols and allows to leverage them in local networks - EAP over LAN (EAPOL). It pretty much encapsulates the EAP frames over Ethernet and Wi-Fi.
802.1X has 3 parties - supplicant (laptop), authenticator (NAS), and authentication server (Radius). EAP data is first encapsulated in EAPOL frames between the supplicant and authenticator, then re-encapsulated between the authenticator and the authentication server using RADIUS. Instead of deploying and managing your own RADIUS server, you can leverage idemeum Cloud RADIUS infrastructure.
RADIUS authentication protocols
Here is a quick overview of major RADIUS authentication protocols along with what Idemeum Cloud RADIUS service supports.
| Protocol | Security | Idemeum | How it works |
|---|---|---|---|
| PAP | - |
Credentials are used for user authentication. Password is sent in clear between client and NAS. Between NAS and RADIUS it is encrypted with MD5 of shared secret. PAP does not require clear text password to be saved on the server. Vulnerable today and considered insecure without TLS. | |
| CHAP | - |
Credentials are used for user authentication. Instead of sending a password, a hash is sent over the wire. There is no transport encryption. CHAP requires clear text password to be stored on the RADIUS server. Vulnerable today and considered insecure without TLS. | |
| PEAP-MSCHAPv2 | - |
Credentials are used for user authentication. TLS tunnel is established for secure communication. Hash of the password is sent inside the TLS tunnel to authenticate the user. Radius server is required to store clear text passwords. RADIUS server is authenticated by the client with X.509 certificate. | |
| EAP-TTLS/PAP | Credentials are used for user authentication. TLS tunnel is established for secure communication. Radius server is authenitcated by the client with certificate. PAP is used to authenticate user with pasword inside the TLS tunnel. Radius server is not required to store clear text password. | ||
| EAP-TLS | X.509 certificates are used for mutual client and server authentication. Communication is secured by TLS. No credentials needed. X.509 certificates need to be distributed to the clients. |