A requirement for all WPA2-Enterprise networks is the use of a RADIUS server. A vital part of the network, the function of a RADIUS is to authenticate the user and their device and authorize them for network access. The authentication process occurs each time a user reconnects to the network, and it takes the guesswork out of determining who is using your network.
Using a RADIUS is an effective way to boost network security and visibility, especially when considering that more than 80% of breaches in 2020 involved lost or stolen credentials or brute force. Each organization must choose between two RADIUS options: On-Site RADIUS or Cloud RADIUS. This organization decided to use SecureW2’s Cloud RADIUS because they wanted to get rid of all their on-premise servers. Below we’ll discuss the differences between cloud and on-site RADIUS servers to see which best suits different organizations.
Should I Use Cloud or On-Site RADIUS?
On-Site and Cloud RADIUS both serve the same function; they authenticate users and maintain the security of the network. Where they differ raises the positives and negatives of both, so the decision falls to individual organizations weighing the options.
On-Site RADIUS
One of the benefits of mass market technology is the amount of available information. On-Site RADIUS is the first iteration of the technology that was developed, so there are many reputable distributors and many IT departments have experience using them.
An organization with this type of RADIUS has access to a vast collection of forums, documentation, and (ideally) trained professionals to assist with potential issues. Another benefit of being a mass market technology is that vendors offer copious add-ons and capabilities. This allows organizations to determine the level of complexity they want in their RADIUS and what its purpose will be in the network.
The setup process of an On-Site RADIUS is demanding, as it must be physically installed, configured, and maintained throughout its life. This represents a hugely enormous cost in materials, facilities, and training, not to mention continued labor over time.
A recent white paper by Digicert reveals the estimated cost differences between on-site and managed cloud RADIUS solutions. The difference is striking.
Modern On-Site RADIUS has a wide base and long use – it’s spawned a lot of technology to allow it to accomplish additional functions. However, as the RADIUS becomes more complex, so does the setup process.
In addition, an On-Site RADIUS has no built-in redundancy. Redundancy is the act of transferring authentication requests to another server if the first server cannot handle a high traffic event. So, if an On-Site RADIUS is overloaded, it cannot transfer requests unless you have two servers (and some companies will require you to purchase two licenses for that privilege). This server type offers much to consider, so how does a Cloud RADIUS stack up?
Cloud RADIUS
The most apparent benefit of a Cloud RADIUS are the general advantages of cloud technology. It is always readily available with built-in redundancy, there is just one license, and it’s more cost efficient because there is no hardware to deal with and no physical installation.
Setting up a Cloud RADIUS is also a simple process. You first configure the secure SSID on a WPA2-Enterprise network. After that, set up the cloud RADIUS in the controller or AP by sharing the RADIUS IP and the shared secret. You’re all done.
SecureW2’s CloudRADIUS is generated automatically for our users and benefits from built-in redundancy, meaning a high traffic event won’t slow down the authentication process. Overall, efficiency is the theme for Cloud RADIUS, as it benefits from lack of hardware and associated costs over time.
In fairness, cloud-technology and cloud RADIUS servers in particular are a newer phenomenon. There is limited information in circulation, so there is a chance of experiencing an issue that vendors haven’t seen before and cannot immediately solve. That risk is limited, and every day advances in crowd sourcing and AI pave the way to correct errors and improve features to match the reliability of an On-Site RADIUS.
With the rise in remote work, more organizations are relying on remote VPN connections to ensure their users can access the resources they need. Cloud RADIUS is perfectly set up to protect these vulnerable connections from over-the-air attacks. A combination of EAP-TLS, certificates, and MFA allow organizations to provide a fast and secure connection for remote users. This is especially useful for implementing Zero Trust Network Access policies due to the inherent device trust provided by certificates.
SecureW2’s Cloud RADIUS also comes with dynamic authentication capabilities. Traditionally, certificates are a static authentication method and cannot be edited. With dynamic authentication, Cloud RADIUS can communicate directly with the IDP, allowing for real-time adjustments to a users profile. As a result, a user’s policy settings can be updated and immediately applied when authenticating.
A commonly mentioned limitation of Cloud RADIUS is that it requires cloud connectivity, so if the cloud goes down, users are unable to authenticate. This is a legitimate concern, but consider if this happened with the alternative. If local RADIUS servers go down, being unable to authenticate also locks the users out of network access.
Besides, most Cloud RADIUS servers (including ours) are hosted on AWS and have a 99.9% uptime.
Cloud RADIUS is Better than On-Site RADIUS for Most Organizations
If you can justify the immense startup costs and ongoing maintenance on an on-site RADIUS, more power to you. It’s a valid option for very large or very niche organizations.
For most people, however, the affordability and convenience of a CLOUD RADIUS far outweighs on-site/on-prem RADIUS. It’s more scalable and it leverages newer, more secure technology.
If you are considering a Cloud RADIUS solution, check out our aptly named Cloud RADIUS product. SecureW2 offers affordable options for organizations of all shapes and sizes. Click here to inquire about pricing.