Why would I need a RADIUS server if my clients can connect and authenticate with Active Directory? When do I need a RADIUS server?
4 Answers
Why would I need a RADIUS server if my clients can connect and authenticate with Active Directory?
RADIUS is an older, simple authentication mechanism which was designed to allow network devices (think: routers, VPN concentrators, switches doing Network Access Control (NAC)) to authenticate users. It doesn't have any sort of complex membership requirements; given network connectivity and a shared secret, the device has all it needs to test users' authentication credentials.
Active Directory offers a couple of more complex authentication mechanisms, such as LDAP, NTLM, and Kerberos. These may have more complex requirements - for example, the device trying to authenticate users may itself need valid credentials to use within Active Directory.
When do I need a RADIUS server?
When you have a device to set up that wants to do simple, easy authentication, and that device isn't already a member of the Active Directory domain:
- Network Access Control for your wired or wireless network clients
- Web proxy "toasters" that require user authentication
- Routers which your network admins want to log into without setting up the same account each and every place
In the comments @johnny asks:
Why would someone recommend a RADIUS and AD combination? Just a two-step authentication for layered security?
A very common combo is two factor authentication with One Time Passwords (OTP) over RADIUS combined with AD. Something like RSA SecurID, for example, which primarily processes requests via RADIUS. And yes, the two factors are designed to increase security ("Something you have + Something you know")
It's also possible to install RADIUS for Active Directory to allow clients (like routers, switches, ...) to authenticate AD users via RADIUS. I haven't installed it since 2006 or so, but it looks like it's now part of Microsoft's Network Policy Server.
- 71,975
- 17
- 161
- 198
-
1Why would someone recommend a RADIUS and AD combination? Just a two-step authentication for layered security? – johnny Jul 14 '16 at 18:33
-
in what context? 802.1x? – HashHazard Jul 14 '16 at 18:44
-
@Hollowproc I was trying to understand one over the other in general. But yes, wireless, if that's what you mean. – johnny Jul 14 '16 at 18:52
-
1@johnny I just edited the answer to address your first comment... if you are asking about wireless clients authenticating, then the most likely reason for RADIUS+AD is the second possibility I mentioned - to allow relatively dumb network gear to authenticate people whose info is stored within AD. So it's a single factor authentication; the RADIUS authentication mechanism is just used to extend AD accounts out to non-Microsoft devices. – gowenfawr Jul 14 '16 at 18:54
-
@johnny, gowenfawr does a nice job of addressing your comment, his answer is honestly a bit more complete than mine – HashHazard Jul 14 '16 at 19:00
All the comments and answers boiled down the RADIUS protocol to simple authentication. But RADIUS is a triple A protocol = AAA: authentication, authorization and accounting.
RADIUS is a very extensable protocol. It works with key value pairs and you can define new ones on your own. Most common scenario is, that the RADIUS server returns authorization information in the ACCESS-ACCEPT response. So that the NAS can know, what the user will be allowed to do. Of course you can do this by quering LDAP groups. You could also do this using SELECT statements if your users where located in a database ;-)
This is described in RFC2865.
As a third part the RADIUS protocol also does accounting. I.e. the RADIUS client can communitcate with the RADIUS server to determine, how long a user may use the service provided by the RADIUS client. This is already in the protocol and can not be done with LDAP/Kerberos straightforward. (Described in RFC2866).
Imho, the RADIUS protocol is much more of a mighty giant than we think today. Yes, due to the sorry concept of the shared secret. But wait, the originial kerberos protocol has the concept of signing timestamp with a symmetric key derived from your password. Does not sound better ;-)
So when do you need RADIUS?
Whenever you do not want to expose your LDAP! Whenever you need standardized authorization information. Whenever you need session information like @Hollowproc mentioned.
Usually you need RADIUS when dealing wiht Firewalls, VPNs, Remote Access and network components.
- 1,993
- 8
- 11
I think all of the above answers fail to address the crux of your question, so I'm adding more. The other answers do fit more in line with the InfoSec aspect of RADIUS, but I'm going to give you the SysAdmin run down. (Side note: this question should probably have been asked in ServerFault.)
What is the difference between a RADIUS server and Active Directory?
Active Directory is an identity management database first and foremost. Identity management is a fancy way of saying that you have a centralized repository where you store "identities", such as user accounts. In lay-man's terms it's a list of people (or computers) that are allowed to connect to resources on your network. This means that instead of having a user account on one computer and a user account on another computer, you have a user account in AD that can be used on both computers. Active Directory in practice is far more complex than this, tracking/authorizing/securing users, devices, services, applications, policies, settings, etc.
RADIUS is a protocol for passing authentication requests to an identity management system. In lay-man's terms it's a set of rules that govern the communication between a device (RADIUS client) and a user database (RADIUS server). This is useful because it is robust and generalized, allowing many disparate devices to communicate authentication with completely unrelated identity management systems that they would ordinarily not work with.
A RADIUS server is a server or appliance or device that receives authentication requests from the RADIUS client and then passes those authentication requests on to your identity management system. It's a translator that helps your devices communicate with your identity management system when they don't natively speak the same language.
Why would I need a RADIUS server if my clients can connect and authenticate with Active Directory?
You don't. If AD is your identity provider and if your clients can natively connect and authenticate with AD, then you do not need RADIUS. An example would be having a Windows PC joined to your AD domain and an AD user logs into it. Active Directory can authenticate both the computer and the user on its own without any help.
When do I need a RADIUS server?
- When your clients can't connect to and authenticate with Active Directory.
Many enterprise grade network devices do not interface directly with Active Directory. The most common example that end users might notice is connecting to WiFi. Most wireless routers, WLAN controllers, and access points do not natively support authenticating a logon against Active Directory. So instead of signing onto the wireless network with your AD username and password, you sign in with a distinct WiFi password instead. This is OK, but not great. Everyone in your company knows the WiFi password and probably shares it with their friends (and some mobile devices will share it with their friends without asking you).
RADIUS solves this problem by creating a way for your WAPs or WLAN controller to take username and password credentials from a user and pass those through to Active Directory to be authenticated. This means that, instead of having a generic WiFi password that everyone in your company knows, you can log on to the WiFi with an AD username and password. This is cool because it centralizes your identity management and provides more secure access control to your network.
Centralized identity management is a key principle in Information Technology and it dramatically improves the security and manageability of a complex network. A centralized identity provider allows you to manage authorized users and devices across your network from a single location.
Access control is another key principle very closely related to identity management because it limits access to sensitive resources to only those people or devices which are authorized to access those resources.
- When Active Directory is not your identity provider.
Many businesses now use online "cloud" identity providers, such as Office 365, Centrify, G-Suite, etc. There are also various *nix identity providers and, if you're old-skool, there are even still Mac servers floating around with their own directory for identity management. Cloud identity is becoming far more common and, if Microsoft's roadmaps are to be believed, will eventually fully replace on-premises Active Directory. Because RADIUS is a generic protocol, it works just as well whether your identities are stored in AD, Red Hat Directory Server, or Jump Cloud.
In Summary
You want to use a centralized identity provider in order to control access to network resources. Some of the devices on your network may not natively support the identity provider you use. Without RADIUS, you may be forced to use "local" credentials on these devices, decentralizing your identity and reducing security. RADIUS allows these devices (whatever they are) to connect to your identity provider (whatever it is) so you can maintain centralized identity management.
RADIUS is also much more complex and flexible than this example, as the other answers already explained.
One more note. RADIUS is no longer a separate and unique part of Windows Server and it hasn't been for years. Support for the RADIUS protocol is built in to the Network Policy Server (NPS) server role in Windows Server. NPS is used by default to authenticate Windows VPN clients against AD, though it technically does not use RADIUS to do so. NPS can also be used to configure specific access requirements, such as health policies, and can restrict network access for clients that don't meet the standards you set (aka NAP, Network Access Protection).
- 170
- 5
-
So if all modern wireless and network devices, for instance, start natively supporting AD, we would not need RADIUS in the environment at all? – security_obscurity Dec 03 '19 at 18:10
-
1@security_obscurity - AD is just one example of an identity provider. It's probably the most common but it isn't the only one. One of the advantages of RADIUS is that the protocol is generic and agnostic - it doesn't care what your identity provider is as long as it speaks the same language. I think I need to update my answer to make that more clear. – Thomas Dec 03 '19 at 22:14
RADIUS Servers have traditionally been the open source alternative for platforms using per-user authentication (think wireless network that needs username and password) vs PreShared Key (PSK) architectures.
In recent years, many RADIUS-based systems now offer the ability to tap into Active Directory using basic LDAP connectors. Again the traditional implementations of RADIUS are network access related vs. Active Directory which can have a whole range of uses/implementations.
To answer your question, even if you can connect with AD creds, you may still need to use the RADIUS server to manage the session for the wireless client once they've authenticated via AD.
- 5,105
- 1
- 17
- 29
-
-
No, but RADIUS has the notion of session timeouts where a user will be disconnected after a certain period of time. – HashHazard Jul 14 '16 at 18:43
-
What does RADIUS has to do with open source? RADIUS is just a standardized protocol! ;-) RADIUS servers are not per se open source... ...unfortunately. – cornelinux Jul 16 '16 at 22:21
-
@cornelinux fair point on the notion of it being *just* a protocol, but for the second part... http://freeradius.org/related/opensource.html – HashHazard Jul 17 '16 at 02:15
-
This is a list of open source RADIUS servers. Most of thos do not exist anymore (since FreeRADIUS is so successful). But you might also compile a list of closed source RADIUS servers containing radiator and NPS. – cornelinux Jul 17 '16 at 06:17
-
I was merely providing evidence that open source RADIUS servers exist in reply to your comment. No need to drag this out. I'm good if you're good. ;) – HashHazard Jul 17 '16 at 12:35