RADIUS (Remote Authentication dial In User Service) is a networking protocol that provides client authentication, authorization, and accounting for the network. RFC standards 2865 and 2866 describe the RADIUS accounting, respectively.
RADIUS protocol is implemented by a number of severs including Free RADIUS, Steel Belted RADIUS etc.
A strong authentication server is one that protects applications and other network resources like Virtual desktop Infrastructures and Cisco VPN's etc.
It supports various authentication methods like password based, one time password etc.
If any RADIUS server is installed (to protect the access to a network) side by side to a strong authentication server (to protect the access to network resources), then it would be advantageous to integrate these two servers so that the end user can access the resources he needs by signing on once(Single Sign-on or SSO).
miniOrange can configure our Authentication product in three possible ways with your RADIUS server.
Side by Side - Use an existing RADIUS server and configure it Side by Side to delegate authentications to your Authentication Server
PROS: Quick Turnaround compared to other options. Use existing RADIUS implementation Supports PAP, PAP with a Shared Secret, EAP-TLS
CONS: Messy Configuration Heavy footprint
Include and Extend - Use an existing RADIUS server and an existing extensible mechanism to delegate authentications to your Authentication Server
PROS: Better design than above, supports PAP, PAP with a Shared Secret, EAP-TLS
CONS: Heavier footprint than above
Custom RADIUS - Implement a custom RADIUS implementation and delegate authentications to your Authentication Server
PROS: Best Design, Very lightweight Supports PAP, PAP with a Shared Secret, CHAP, MSCHAP, EAP-TLS
CONS: Complex implementation
Recommendation - Depending on our Business Case, Go with a staged approach where we do option 1 or 2 in the short term and explore Option 3. In the mid to long term, implement Option 3.
miniOrange has a lot of experience in implementing RADIUS Protocol and depending on Business Scenario can evaluate and implement one of these three options :
Side by Side
Use an existing RADIUS server and configure it side by side to delegate authentications to your Authentication Server which can be an option to turnaround quickly and supports Supports PAP, PAP with Shared Secret , EAP-TLS but this option leads into not so easy configuration set up
Include and Extend
Use an existing RADIUS server and an existing extensible mechanism to delegate authentications to your Authentication Server leads to better design which also supports Supports PAP, PAP with a Shared Secret , EAT-TLS but is heavier footprint than above option
Implement a custom RADIUS implementation and delegate authentications to your Authentication Server - This is a complex but best design and very lightweight implementation It also supports Supports PAP, PAP with a shared secret, CHAP, MISCHAP, EAP-TLS SAMPLE USE CASES Strong Authentication Server and RADIUS integration can be done in the context of the following two use cases:
An end user wants to access his Virtual Desktop using VMware view which is protected by a RADIUS Server which in turn delegates all the authentication requests to your strong Authentication Server
An end user wants to access a Virtual Private network using Cisco VPN which is protected by RADIUS server which in turn delegates all authentication requests to your Strong Authentication Server.
Sample End to End Flow
The end users clicks on VDI Client. VDI client sends a request to connect to VDI Server
VDI server is confirmed to use RADIUS 2 factor authentication so it delegates to RADIUS Server
RADIUS Server is configured to use your Strong Authentication server for Authentication so it delegates to RADIUS Interface
The RADIUS Interface Interprets the incoming requests and calls the appropriate API's (e.g. for 1st factor authentication - UserID -password ) on your Server
Your server API returns success for 1st Factor Authentication
The RADIUS Interface throws a challenge since the first factor was successful
The user on the VDI interface gets a screen where he enters OTP generated on his Mobile phone
The OTP gets to right Strong Auth API through the same route again
The API returns success for 2nd factor
The user get access to his Virtual Desktop
Please contact us at firstname.lastname@example.org to get a quick answer on RADIUS AUTHENTICATION