Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Designing a Zero Trust 802.1x Network

Key Points
  • Zero trust emphasizes continuous verification, limiting network access by user role and device context, ensuring no implicit trust for internal users.
  • RADIUS and digital certificates verify each device, preventing credential-based attacks and improving authentication accuracy in zero trust environments.
  • Zero trust networks employ VLAN segmentation and runtime policy enforcement via RADIUS to control access, reduce risks, and limit attackers’ reach within network zones.
  • SecureW2’s Cloud RADIUS, with dynamic policy capabilities and certificate-based authentication, enables seamless zero trust implementation across remote and hybrid networks.

As hackers get more sophisticated and hands-on, network security strategies have to adapt to meet the new challenge. An old idea that has recently been given new life is the concept of zero trust networks.

This article will briefly discuss the tenets of a zero trust 802.1X network and the easiest way to implement zero trust policies on your WPA2-Enterprise network.

What is a Zero Trust 802.1X Network?

Zero trust is a security philosophy that can be boiled down to “never trust, always verify”.

Traditional network security relies on strong perimeter defense – firewalls, VPN, and robust RADIUS authentication security, preferably with digital certificates. The goal is to stop any threats before they reach the vulnerable parts of your network.

The problem is that this paradigm assumes that all of the users on your network are trusted and authorized to access any resources contained within. There are few protections against internal attacks – whether they’re from an external attacker that infiltrated your defenses or a disgruntled employee exacting revenge.

Zero trust demands that security doesn’t stop at authentication. Users and devices should be constantly monitored, limited to only the necessary resources and applications, and require verification for each and every access request.

Why RADIUS is required for Zero Trust Security

A RADIUS server is a fundamental part of 802.1X authentication security whether or not you’re operating under zero trust principles. It’s the first line of defense against malicious actors looking to penetrate your network.

Not all RADIUSs (radii?) are created equal. A managed Cloud RADIUS like the one that SecureW2 offers has different features and capabilities than a DIY RADIUS based on FreeRADIUS or AD CS. Those additional features can be the difference between an effective zero trust network and a mediocre cybersecurity strategy.

Certificate-Based Authentication

Digital X.509 certificates should be mandatory for zero trust network authentication because they are inextricably tied to the identity of a user or device, allowing you to verify the client with much greater accuracy than credentials.

Passwords are often shared, lost, or cracked. Certificates can’t be removed from a device and they are virtually uncrackable due to the public key cryptography they employ.

Server certificate validation is an example of a zero trust policy implemented by certificates, but from the direction of the client to the network controller. Configured devices check the identity of the access point before sending credentials for authentication.

Network Segmentation

Dividing users into groups of people with similar permission levels is a core tenet of zero trust. An organization’s developers don’t need access to payroll software, and HR doesn’t need access to source code. Sorting users into groups with identical permissions levels compartmentalizes both resources and risk.

Network segmentation is typically achieved through virtual LAN networks (VLAN). Users and devices should be assigned a VLAN through the RADIUS which only contains the essentials necessary for their role. Any hacker that manages to access the VLAN will be limited in their potential impact.

Dynamic Policy Enforcement

Policy enforcement is the mechanism through which users and devices are usually sorted into VLANs, but there’s room to expand on the policies for a more secure internal environment. With SecureW2’s CloudRADIUS, you can perform dynamic, runtime-level policy enforcement.

By adding customizable attributes to client profiles stored in the directory, users can be dynamically sorted into appropriate VLANs or authorized for other services like VPN. Our CloudRADIUS not only references the certificate revocation list, but can perform LDAP-like user lookup on the directory at the moment of authentication to enforce realtime policy decisions.

Want to learn more about our Dynamic Policy Engine and the advantages of runtime-level policy enforcement for EAP-TLS authentication? Contact our experts here.

The Future of Remote Access Requires a Cloud RADIUS

zero trust remote network

The Covid-19 pandemic brought a lot of changes to the tech industry, but perhaps the most lasting change is the inclusion of more remote workers. Zero trust policies will be more important than ever to secure networks as everyone accesses them from home, further widening the trust gap.

An enterprise-grade Cloud RADIUS solution with digital certificate-based authentication is the most efficient way to protect your network and employees. Our turnkey managed PKI and #1 rated onboarding solution can integrate with your existing network infrastructure so that the upgrade is both affordable and simple.

We have options for organizations of all sizes. Click here to see our pricing.

 

Learn about this author

Patrick Grubbs

Patrick is an experienced SEO specialist at SecureW2 who also enjoys running, hiking, and reading. With a degree in Biology from College of William & Mary, he got his start in digital content by writing about his ever-expanding collection of succulents and cacti.

Designing a Zero Trust 802.1x Network