As YubiKeys achieve widespread adoption, the industry keeps finding more and more uses for the powerful little device. One of the more interesting use cases for YubiKey is AAA/RADIUS authentication. The key already has all the hardware necessary for secure 802.1X authentication and even certificate-based EAP-TLS.
By integrating YubiKeys into a PKI, you can deploy them to authenticate almost everything:
- Desktop login
- Wi-Fi
- VPN
- SSH
- Email clients
- Web applications
Physical security tokens like the YubiKey are becoming increasingly important as we revert to more “analog” methods of cybersecurity to protect against wireless attacks. Here’s how you can use YubiKeys to protect your network by integrating them with your RADIUS.
Why Use YubiKeys for RADIUS Authentication?
There’s a lot crammed into that tiny, USB-equipped package. YubiKeys are capable of multiple factors of authentication by themselves:
- “Something you are” – biometric identification
- “Something you have” – physical security key/token
- “Something you know” – PIN
But pillars of authentication aside, YubiKeys have a multitude of other features that make them particularly valuable for network authentication. Since so many of those features are based on principles of public key cryptography, it makes them well-suited for use in a network with a Public Key Infrastructure (PKI).
For example, many models of Yubikey come equipped with a hardware security module (HSM). This secure cryptoprocessor can generate its own certificate for attestation, an important part of the process of establishing trust. It can also be configured to store externally generated certificates with the help of a third-party smart card management system (SCMS) like SecureW2.
The ability to use custom certificates issued by your PKI is a big upgrade to the base abilities of the Yubikey. With SecureW2’s Yubikey solution, you can create certificate templates that enable Yubikeys to authenticate desktop login, Wi-Fi, VPN, SSH, and more. Yubikeys can be configured with client certificates that are tied to users’ directory profile, enabling dynamic role-based access control with SecureW2’s CloudRADIUS.
For more information on how to use Yubikeys for real-time policy enforcement, click here to talk to our experts.
Even after users have used their Yubikey to login to their workstation and to connect to your 802.1X network, the security key’s work is not done. Since it’s tied directly to the user’s identity in your IDP, the Yubikey can be used to authenticate email clients and other web services using the FIDO2 and U2F protocol. Users enjoy the same quick, passwordless access to the software they use on a daily basis without the hassle or risk of credential management.
How to Configure YubiKeys for RADIUS Authentication
There are a few ways to set up YubiKeys to authenticate to a RADIUS.
The first method is the one detailed on the Yubico site, but both the documentation and the configuration leave something to be desired. It requires you to use FreeRADIUS configured with PAM in a Debian environment, and every key has to be manually configured via command prompts.
Obviously that’s not an optimal configuration for the majority of organizations. Even if you don’t mind setting up and maintaining the Debian installation, scaling up YubiKey configuration (and inevitable reconfiguration) for the whole organization is a daunting task. Furthermore, this method doesn’t allow you to implement effective role-based access control.
If you already have an Azure environment, you might be interested in our industry-unique Windows Hello for Business Yubikey integration. Despite the official functionality being deprecated by Microsoft and Yubico, SecureW2’s proprietary YubiKey SCMS enables secure authentication for Windows Hello, and indirectly, RADIUS.
The best way to use Yubikeys for RADIUS is also the simplest – onboard them to your PKI so that they can be equipped with certificates to validate to a multitude of applications and services. SecureW2 is the industry’s only solution for automatically configuring YubiKeys at scale instead of individually via command prompts. It also lets you set custom PIN/PUK requirements to control if users can reset their devices themselves.
Efficiently Onboarding YubiKeys for Authentication
Ultimately, your network’s security depends on everyone following protocol. As is always the case in security, adherence to protocol is largely dependent on how inconvenient it is to follow procedure. That’s why user-experience is so critical to security strategy – it’s most efficient to remove obstacles a user might encounter.
Yubikeys equipped with digital X.509 certificates represent the best of both worlds – a passwordless, touch-activated authenticator that works for every service a user needs to access while being protected by ironclad public key cryptography.
We have affordable options for organizations of all sizes. Click here to see our pricing.
