As technology progresses, hackers have constantly upgraded their modes of attack, which include social engineering techniques to compromise the network space of an organization. Here’s a recent incident of a high-profile data breach involving credentials compromise, which once again exposed the vulnerability of credentials in a network domain.
It is pretty apparent that to counter these advanced cyberattacks, you must upgrade your network security infrastructure, and in doing so, you must evaluate the existing RADIUS servers used in your organization on a routine basis. In this article, we will compare the two most prominent RADIUS services and help you evaluate the one best for your organization.
Comparing FreeRadius and Jumpcloud
FreeRADIUS is an open-source RADIUS suite that includes multiple utilities, such as clients, servers, libraries, etc., to help admins customize their respective RADIUS. Since it is open source, it is very adaptable, especially with operating systems such as Unix and Linux, allowing it to provide various layers of authentication, authorization, and accounting.
Jumpcloud, on the other hand, utilizes a shared directory in the cloud to authorize, authenticate and manage various users, devices, and applications instead of on-premises IT infrastructure. Its RADIUS-as-a-Service (RaaS) provides pre-built, pre-configured, scalable, and managed RADIUS servers. Jumpcloud’s RaaS complements its directory by providing additional control to authenticate users and devices.
Let’s compare the different features of their RADIUS services to see where the difference lies.
Authentication Security
For reliable Wi-Fi authentication, organizations usually rely on 802.1X, an IEEE Standard for Port-Based Network Access Control (PNAC). The standard authentication protocol used in 802.1X in encrypted networks is the Extensible Authentication Protocol (EAP).
The EAP protocol is a point-to-point (P2P) authentication framework that enhances the security of the network server with its encrypted tunnel.
Currently, there are several methods for authentication under the EAP protocol, but the most common methods used in modern wireless networking are:
- EAP-TLS
- PEAP-MSCHAPV2
- EAP-TTLS/PAP
These protocols have varying levels of security, as illustrated in the table below:
FreeRADIUS Authentication Security
Being an open-source RADIUS server, FreeRADIUS has supported almost all the authentication protocols since its inception. It is one of the earliest RADIUS servers to support EAP protocols, including EAP-TLS.
FreeRADIUS has an edge when it comes to authentication protocol over Jumpcloud as it supports more protocols than Jumpcloud, including the most secure EAP-TLS.
Jumpcloud Authentication Security
Jumpcloud mainly uses EAP-TTLS/PAP and PEAP-MSCHAPv2 authentication methods to protect users’ credentials. It also provides dual client support of UDP(User Datagram Protocol) and TCP (Transmission Control Protocol) for reliable and compatible authentications.
While there’s no doubt that Jumpcloud’s products themselves are reliably secure, they are limited by the authentication methods supported by their infrastructure.
In PAP, the credentials are delivered over the air in “clear text,” which means they are not encrypted and may be deciphered easily. The cleartext format of messages in PAP is vulnerable because they are not encrypted; hence, hackers can cause trouble by caching even a single cleartext message in the entire system. A Man-In-The-Middle (MITM) attack is the most common way to attack EAP-TTLS/PAP networks.
One of the other main protocols, PEAP-MSCHAPV2, also heavily depends on credentials and has known vulnerabilities. PEAP uses a modified TLS handshake and MSCHAPV2 for comparing credentials. Its encryption mechanism makes it easy for the attacker to decrypt the user credentials packets, making them vulnerable.
EAP-TLS is the Most Secure 802.1X Authentication Method
EAP-TLS authentication is a certificate-based authentication method that utilizes X.509 digital certificates instead of credentials, providing an extra degree of cryptographic security. Asymmetric cryptography is an advanced cryptographic infrastructure that securely exchanges encrypted information publicly between two parties without the fear of interception.
Unlike symmetric encryption, where the exchange of private keys is mandatory to initiate communication between two parties, asymmetric encryption uses two pairs of public and private keys separately. The strength of the encryption makes it impossible to crack without knowing the hidden private key, so even intercepted communication is safe from prying eyes.
One of the most significant benefits of EAP-TLS is that it can be extended to modern cloud infrastructures like Azure AD (Microsoft Entra ID) and Okta. Other auth protocols like TTLS/PAP were designed for on-premise environments and lack the support or rigor necessary for today’s cloud environment.
Customer User Experience
Both FreeRADIUS and Jumpcloud are superior services, consistently rated highly by their customers. According to customer reviews from TrustRADIUS, FreeRADIUS rates 8.6/10 stars while Jumpcloud Scores 8.7/10 stars. It’s worth noting that FreeRADIUS is an open-source suite that can be customized to suit the needs of organizations, and hence there are fewer reviews due to limited ownership.
Let’s evaluate these reviews based on the different features to understand various end-user experiences.
FreeRADIUS User Experience
Since FreeRADIUS is an open-source platform, it has a universal reach in almost every market segment, whether large or small-level enterprises. Also, being multi-threaded enables it to process multiple transactions parallelly, saving time and energy in the process.
The users’ reviews suggested that FreeRADIUS eliminated the use of shared passwords and strengthened the organization’s security. Also, FreeRADIUS enables admins to expand the capabilities of the RADIUS server by using their database for various services, such as accounting events.
Also, being an open-source suite, the expense associated with FreeRADIUS is almost negligible and depends solely on your organization’s existing infrastructure. Since no licensing is involved, the customers need not worry about the pricing related to the same irrespective of the number of devices within their organization. That said, the open-source nature also means that there is no (free) configuration support and the costs of implementing 802.1X infrastructure remain.
While the general opinion among customers regarding FreeRADIUS has been positive but some users complained about its heavy dependence on third-party vendors to provide better accessibility. Also, some users complained about the complexities involved while integrating FreeRADIUS with the cloud Identity Providers such as Azure AD, Google, and so on.
Jumpcloud User Experience
While Jumpcloud’s product suite encompasses far more than just a RADIUS server, the same reviews suggested the inclination of its market share towards small-business to mid-market. It targets educational institutions, non-profit organizations, and government agencies as potential customers.
Jumpcloud is well-suited for small enterprises having fewer employees as their budget permits them to maintain their database on the cloud only. It provides SSO, LDAP, RADIUS, and MFA on the same platform, which many customers appreciate.
Along with smooth integration with different MDM vendors, Jumpcloud RaaS supports other non-Jumpcloud directories. Customers have also applauded its device policies and Wi-Fi management. The technical support is very cooperative, which is a great boon for small organizations that can’t always afford dedicated IT support.t.
Jumpcloud supports some innovative MDM features, but they are over-dependent on the operating systems’ native security measures and credentials. To provide better device immunity, some users suggested using innovative authentication methods for its RaaS, such as PUSH-MFA or QR codes.
There are also some naming issues with the VLAN assignment in its RaaS services, and some users felt its directory services could not act as a complete replacement for AD (Active Directory). Some users felt the password reset policies and manually entering passwords to be cumbersome, like other RADIUS services.
Challenges with FreeRADIUS and Jumpcloud
FreeRADIUS:
The biggest challenge while setting up a FreeRADIUS is configuring it with the existing database of your organization. Although flexible in nature, FreeRADIUS has certain limitations when it comes to integrating with both on-prem and cloud-based Identity Providers, such as resetting passwords, etc.
The next issue with FreeRADIUS is its over-dependence on the command line prompt for executing many simple instructions that can be challenging for many network admins. The CMD commands are not only outdated but also time-consuming in nature. The lack of a GUI is a common complaint among users.
Being an open-source suite FreeRADIUS is obviously cost-effective, but configuring it with your existing network infrastructure might create additional complexities that can affect the overall budget of the organization. But if you have a reliable onboarding solution that integrates natively with these IDPs, then these limitations can certainly be minimized.
Jumpcloud:
The major challenge while using Jumpcloud RADIUS is the authentication protocol used to authenticate the users, i.e., EAP-TTLS/PAP and PEAP-MSCHAPv2, which are solely based on passwords.
Using credentials for authentication has many disadvantages compared to digital certificates. Passwords provide a single layer of weaker security than the multi-layered security of certificates.
The password-changing policies also create a vulnerability in the system by providing a suitable environment for cyber attacks. These attacks can cause severe data breaches involving losing an organization’s sensitive data over the air.
Cloud RADIUS for Every Organization
Both FreeRADIUS and Jumpcloud are pioneers in the networking arena and offer dependable RADIUS services. However, the authentication mechanisms adopted by their RADIUS servers are heavily dependent on credentials that a capable cyber-criminal or hackers could easily exploit.
Our Cloud RADIUS also practices advanced policy-based access control using diverse attributes that can be easily customized to suit the needs of any organization. It also has built-in redundancy to provide easier integration with cloud-based directories that can securely authenticate remote users.
SecureW2 offers a wide range of turnkey Managed PKI solution that eliminates the drawbacks of credentials and provide seamless onboarding to certificate-driven security. Our Cloud RADIUS easily matches all the features of these two RADIUS services with additional capacity to deploy certificate-based 802.1x network authentication, the gold standard in network authentication.
You can book a call with us or check out our pricing page to see if SecureW2’s Cloud RADIUS solutions fit the authentication needs of your