Though remote work wasn’t started by the Covid-19 pandemic, it has increased drastically to the point that working from home will be commonplace for many workers. Unfortunately that leaves organizations needing to figure out how to securely connect remote workers to on-premise applications and resources. 802.1X authentication is considered part of the golden standard of wireless security and organizations are looking for solutions to secure authentication for their remote workers.
Virtual Private Networks (VPN) provide the most secure way for companies to access their networks and private resources. More specifically, the Virtual Local Area Network (VLAN) feature is used for remote devices to be “virtually present” and connect to on-prem resources. Remote access is incredibly convenient but also relies on employees having access to company data at home. There are protocols in place, like Windows Remote Desktop Protocol, that allow users to access their company’s network from anywhere. The concern with VPN is that the protocols require the company’s network to be open to the internet, putting it at risk for cyber attacks. While these protocols are secured by username-password methods, hackers have no trouble nowadays finding passwords and breaching networks.
Luckily, this can be avoided and remote workers can securely access on-prem applications by using your RADIUS for VPN authentication.
RADIUS Authentication With VPN for Secure Remote Access
Yes, you can use your organization’s RADIUS to authenticate remote users. By configuring the VPN to connect to your office access point, the remote device can be “virtually” present and be authorized even by an on-premise RADIUS, though Cloud RADIUS services are easier and more secure.
The benefits of using your RADIUS in conjunction with VPN for remote access are twofold:
- It’s more secure. After the VPN connects to your office access point, the users undergo RADIUS authentication for network and resource access. Doubling up on protection keeps your traffic safe at all stages of the process.
- If your firewall, access point, or VPN doesn’t support user attributes or directory referencing, you can still use your RADIUS to implement security policies.
In fact, using your RADIUS to authenticate your users instead of a VPN is the security best practice no matter the situation. You don’t leave your network security to a third party in normal circumstances – why would you start now? This method ensures that ultimate control is still in your hands.
Enabling 802.1X with RADIUS and Certificates
The most secure iteration of RADIUS uses the EAP-TLS authentication protocol to authenticate users with digital certificates instead of credentials. Certificates eliminate the need for password-based authentication which in-turn eliminates the security risks usually associated with passwords. You no longer have to worry about the threat of phishing or MITM attacks and you have complete transparency over who is using your network. Certificates encrypt private data so a hacker wouldn’t be able to do anything if they get a hold of the certificate.
While certificates can prevent the rampant amount of credential theft that targets VPN users, many sysadmins are unclear about how to implement them. One of the main reasons is that Public Key Infrastructures (PKI), which are required to implement certificates, were once incredibly complex systems to configure and manage.
To use certificates for VPN, you just need to do a couple things.
- Enroll end devices or security keys for Client Certificates
- Upload a Root or Intermediate CA on your Firewall, VPN Gateway, and RADIUS Server
If this seems at all difficult; SecureW2 is here to help. Our #1 rated VPN certificate enrollment software integrates with any SAML or LDAP directory and any VPN vendor. You can easily allow any end user to get authenticated and self-enroll their device for a certificate.
Once users have been enrolled for a certificate, the RADIUS server can use that to verify the level of permissions they have. You can create and customize group security policies to segment users into different levels of resource access, control who has access to Wi-Fi, VPN, and other company resources.
Use CloudRADIUS to Secure VPN Authentication
With SecureW2’s CloudRADIUS authentication service, you not only have the ability to authenticate your certificates, you can also check user, group, and device information in your Identity Provider at the moment of authentication. For example, you can set up groups for different organizational departments: the finance team, the marketing team, the IT team, and assign them to unique VLANs. You can also deny or allow network access based on attributes like NAS-ID, User Roles, and much more.
Check out our pricing page and we can get you set up with a state of the art VPN solution that ensures your companies resources stay private.