WPA2-Personal is common in homes and cafes – a security type requiring a preshared key (PSK). But some networks cannot be secured with a password, they want a username and a unique password for every user. That’s likely a WPA2-Enterprise network. That is why the AAA server facilitates the security you need.
AAA is an important protocol in network access control but how does this actually work? Let’s discuss this.
What are AAA servers?
Fig: AAA setup
AAA stands for Authentication, Authorization, and Accounting. You might have heard of two AAA servers: RADIUS and TACACS+. Modern WPA2-Enterprise networks use the RADIUS protocol fairly exclusively, so you’re unlikely to encounter TACACs+ in the field.
AAA servers perform several very important functions:
- granting or denying access to a network
- providing varying levels of authorization to users
- keeping a record of all attempts to establish a network connection
Where are AAA servers used?
If you are an organization dealing with sensitive data, you need a secure method of transporting data. AAA servers are used so your devices can communicate securely with access points. It is a major part of large organization networks like enterprises, universities, and hospitals. With the growing threats in cyber security, AAA servers are rapidly becoming adopted by smaller businesses too.
Why do I need a AAA Server?
AAA servers are a WiFi security necessity – it replaces a single preshared key with unique credentials per user or device.
These days users are accessing their sensitive data irrespective of the network, whether it be a public hotspot, an airport, or a friend’s apartment. These environments use simple authentication methods based on a pre-shared key (PSK) that only involves remembering a single password.
Such networks are a major cause of data breaches. A survey found that 74% of IT decision makers (whose organizations have been breached in the past) say it involved privileged access credential abuse.
Therefore, the Pre-Shared Key network security most often used at home is not sufficient for any professional use and can put them at serious risk for cyber crimes.
How is AAA Set Up?
Imagine we are the supplicants (AKA users) and we want to connect to the network through an access point as depicted in the picture above.
Components of an AAA setup:
- Supplicant
- Switch/Access Point/Controller
- AAA Server (such as RADIUS)
For us to connect, we need to authenticate first, which involves verifying user credentials. In other words, we need to supply a username and password for network access. The switch/access point/controller takes these credentials and passes them to a AAA server (AKA RADIUS). The RADIUS confirms with the identity provider (not pictured) that the credentials match an authorized user and checks if there are any special instructions regarding their access level.
If there is a match in the identity provider, the user gets authenticated to the network, if not, access is denied. Once verified, we are authorized to access resources on the network based on the access control policies set by the organization.
Finally, the AAA server fulfills the last part of its role – accounting. The authentication events described above are recorded in the RADIUS event log in case they need to be referenced later for troubleshooting or audits.
Credential or Certificates? Two Modes of Authentication
AAA servers support both credential and certificate-based authentication, each with its list of pros and cons.
Credentials :
- Poor UX (reset policies, complexity requirements)
- Easily decrypted
- Prone to over-the-air attacks (man-in-the-middle, evil twin attacks)
- Requires significant IT resources
Certificates :
- Uses uncrackable public-private key encryption
- Uses the most secure authentication protocol EAP-TLS
- Superior UX, no need to remember or reset passwords
- Avoids over-the-air attacks (man-in-the-middle, evil twin attacks)
- Frees up IT resources
Click here to see how easy it was for our customers to switch from credentials to certificates.
How Do AAA Servers Work?
Initialization
The supplicant has the user’s credentials and connects with the switch/controller to initiate the authentication process.
Intermediary
The switch/access point/controller initiates communication between the end-user device and the RADIUS server. This device is where you configure a Wi-Fi protocol such as WPA2-PSK and WPA2-Enterprise.
Authentication
Your AAA server can be configured with several authentication protocols
EAP-TTLS/PAP and PEAP-MSCHAPv2 are common, if vulnerable, credential-based authentication protocols. EAP-TLS enables digital certificate authentication and is a highly secure method for protecting the authentication process
The AAA server connects to your identity providers (IDP) like Azure AD or Okta, to confirm if users have the correct certificate or credentials to prevent any unapproved users from accessing the network.
Authorization
The AAA server communicates with a directory (on-prem or cloud) to identify what level of access each user has. The authorization applies organization rules to resolve access requests from users
Accounting
Accounting involves recording the information of devices that are authenticated to a network and the session duration. The device information, usually the MAC address and port number, is sent in a packet to the accounting server when the session begins. The server will receive a message signaling the end of the session.
The Leading AAA Solution
SecureW2’s JoinNow solution comes built-in with a world-class Cloud RADIUS server, providing powerful, dynamic policy-driven authentication. The keys to a successful RADIUS deployment are availability, consistency, and speed. Backed by AWS, SecureW2 Cloud RADIUS delivers high availability, consistent and quality connections, and requires no physical installation.
Ready to take the next step in improving user experience and hardening your network security? The transition process is easier than you think. Click here if you’d like to get in touch with one of our experts.