Rublon

Secure Remote Access

Zuletzt aktualisiert am 30. Juli 2024

MFA für RADIUS ist ein mehrschichtiger Ansatz für die Authentifizierung von RADIUS-Benutzern. RADIUS MFA besteht in der Regel aus zwei Sicherheitsschichten und bietet einen Login und ein Passwort als ersten Authentifizierungsfaktor sowie eine zusätzliche Authentifizierungsmethode als ersten Authentifizierungsfaktor. Die zusätzliche Authentifizierungsmethode muss entweder etwas sein, das Sie haben (z. B. ein registriertes Mobilgerät, ein FIDO2-Sicherheitsschlüssel) oder etwas, das Sie sind (z. B. ein Fingerabdruck oder andere biometrische Daten).

What is RADIUS?

RADIUS is a computer networking protocol that employs the three A’s. The first A stands for Authentication, the second A is Authorization, and the last A refers to Accounting. Let’s focus on the first A and learn how RADIUS works within Multi-Factor Authentication (MFA).

RADIUS Protocol vs. RADIUS Server – Let’s Clear It Up!

It is crucial to distinguish between the RADIUS protocol and the RADIUS server. The RADIUS protocol is a data transfer protocol used during communication between a RADIUS server and a RADIUS client. The RADIUS server, on the other hand, is a process that runs in the background on a Windows or Linux server and stores user profiles in a database. These profiles include user credentials such as a hash of a password.

In other words, the RADIUS server either is the Identity Provider (IdP) itself or is closely connected to an identity provider (IdP) (like a MySQL database) and can therefore be used as the source of your user credentials during the first step of Multi-Factor Authentication (MFA). One of the most popular RADIUS servers is FreeRADIUS.

Analogous to the RADIUS server, the RADIUS client is one of the parties that take part in the communication that uses the RADIUS protocol. The RADIUS client is usually a network access server (NAS) such as a virtual private network (VPN), router, or switch.

It is essential to know the difference between the RADIUS protocol, server, and client because it is easy to confuse these terms, which consecutively may lead to more misunderstandings.

How to make the RADIUS Protocol More Secure?

The RADIUS protocol does not encrypt the packets sent in communication between the client and server. The sole exception is the password. Despite password encryption, RADIUS is only as secure as its implementation. But even with an exemplary implementation, if a password is the only barrier a hacker must circumvent to break into your account, you are as good as hacked.

But there is a way. It is called Multi-Factor Authentication, or MFA for short. MFA adds an extra layer of security to your logins. If you combine your password with a Mobile Push authentication request, you boost your account security. But how does MFA work?

How Does MFA Work With RADIUS?

To enable MFA on your VPNs, you need to use the Rublon Authentication Proxy. The Rublon Authentication Proxy is an on-premises RADIUS proxy server.

With Rublon MFA enabled, the Rublon Authentication Proxy uses the RADIUS protocol to communicate with Service Providers, such as your VPN. To speak with an Identity Provider, the Rublon Authentication Proxy uses either the RADIUS protocol (if you store your users in, e.g., FreeRADIUS) or the LDAP protocol (if you store your users in, e.g., Active Directory).

Diagram showing how MFA works with RADIUS

1. User signs in to the Integrated Service (Service Provider) by providing their login and password (1)

2. The Integrated Service contacts the Rublon Authentication Proxy using the RADIUS protocol with PAP as the authentication option (2)

3. The Rublon Authentication Proxy asks the Identity Provider (either a RADIUS Server or an LDAP Server) if the password is correct. (3)

(Note that Rublon Authentication Proxy uses the RADIUS protocol to speak to the RADIUS Server. However, LDAP(S) is used to speak to the LDAP Server.)

4. If the password is correct, Rublon Authentication Proxy contacts the Rublon API (4) and asks the Rublon API to send a Mobile Push authentication request to User’s phone (5)

5. If User accepts the push, they get connected to the Integrated Service.

Can I Use FreeRADIUS as the IdP For My Cloud Apps?

Yes, you can! You can deploy the Rublon Access Gateway, a dedicated Rublon solution used for integration with cloud apps. Then, you can set your FreeRADIUS (or any other RADIUS server) as the Identity Provider in the Rublon Access Gateway. Refer to MFA for SAML for more information.

How Do I Enable MFA on My VPNs and Other RADIUS-Compatible Services?

Here’s a step-by-step guide on how to enable Rublon MFA on one or more of your RADIUS-compatible applications:

  1. Deploy and configure the Rublon Authentication Proxy.
  2. Find the integration instructions in our documentation.
  3. Follow the instructions and integrate your service with the Rublon Authentication Proxy.
  4. Repeat steps 2 and 3 for any number of RADIUS-Compatible services you want.

Related Posts