Authentication security is an incredibly diverse field with countless options for organizations to choose from. How to authenticate your users to a secure network is a difficult decision to make as authentication is one of the primary lines of defense against outside attacks.
One of the most commonly used methods is Microsoft’s NPS for RADIUS authentication security. While NPS is known for its consistency, as organization’s move forward to more cloud-based networking (such as using Azure directory), they can run into issues because NPS does not work in the cloud. How can organization’s modify NPS to work with Azure, and is it the most effective solution for that purpose?
What Is The NPS Extension?
As stated, NPS on its own cannot work with cloud-based networking tools. To address this Microsoft has developed an extension to NPS that allows it to work with Azure Active Directory Multi-Factor Authentication (Azure AD MFA). The extension essentially works as an adapter between NPS and Azure AD MFA that confirms the validity of cloud identity requests.
How Does The Extension Work?
A user is attempting to be authenticated via a VPN connection. The VPN client will send their authentication request to the NAS/VPN server, which is then converted to a RADIUS format that can be read by NPS. The NPS performs the regular RADIUS authentication process and then sends the request along to the extension for confirmation through the Azure AD MFA process.
The NPS extension will then begin the Azure AD MFA authentication request. It takes the authentication requests and communicates with the Azure AD to confirm the user’s identity and perform a secondary authentication. If the authentication request is confirmed, the NPS server is provided with a confirmation and the user is connected to the secure network.
Downside of NPS Extension
NPS extension is certainly effective in authenticating MFA requests, but as with many Microsoft products, it can be rather rigid in how it handles requests. For one, the NPS extension can only be configured to handle RADIUS requests because it will trigger an error for any non-RADIUS authentication requests.
Depending on the authentication method used, there are different MFA options available. The most commonly used authentication methods are EAP methods, which with an NPS extension, support different MFA options.
The PAP method supports phone call, one-way text, mobile app notification, and mobile app verification code. Both the MSCHAPv2 and EAP-TLS method support phone call and mobile app notification. As a result, it can be rather limiting for the organization to choose their EAP method based on what MFA methods will be available, especially considering the differences in effectiveness of EAP authentication methods.
Additionally, if an organization chooses to implement an MFA strategy, it is an all or nothing decision. Either every user account will be subject to MFA, or none of them will be. If you want only some users to have MFA, it requires the purchasing of a second server.
Another situation where an organization would be forced to purchase another NPS server would be to implement redundancy. For larger organizations or those that experience large authentication events, redundancy can be a requirement to handle those events. But in order for one server to pass off authentication requests, there must be a second server ready to receive them. The cost of one NPS server can be substantial, but this is only exacerbated if redundancy is a requirement.
Overall, NPS extension is really only recommended for organizations that are implementing a new deployment and not simply upgrading an existing one. NPS extension does not include tools to migrate existing users and settings to the cloud. This can cause a significant slowdown as existing users would have to be manually updated to accommodate the new cloud-based authentication method.
Cloud RADIUS Solution for Cloud Authentication
SecureW2’s Cloud RADIUS with dynamic authentication is one of the most user-friendly authentication solutions for both admins and end users. For admins, they can easily integrate Cloud RADIUS with any existing network infrastructure and migrate users to Azure AD if desired.
When it comes to authenticating cloud requests, there is no middle man with Cloud RADIUS; the requests come in and the user is either confirmed or denied access. SecureW2 supports a wide range of EAP methods, but our bread and butter is transitioning organizations away from vulnerable credential-based authentication and towards certificate-based authentication with EAP-TLS. Cloud RADIUS also doesn’t discriminate with MFA options available for different authentication types.
For end users, the configuration process could not be simpler. The JoinNow onboarding solution is designed to be completed by users of every skill level. After a few clicks and a couple minutes, the user’s device is configured for authentication, ready for MFA, and provisioned with a certificate (in the case of EAP-TLS authentication method).
A new addition to Cloud RADIUS is the ability to perform dynamic authentication. In the past, if a certificate user needed updated permissions and policy settings, they would have to be issued all new certificates. With dynamic authentication, Cloud RADIUS can communicate directly with any IDP – in this case Azure. The admin would simply update the user’s permissions in Azure and Cloud RADIUS would authenticate the user with their updated status.
When considering the vast number of authentication security options available, it’s important to set up the needs of your organization and how you want the network to operate. If your organization is a Microsoft-based outfit that is deploying a new NPS server but wants to enable cloud authentication, NPS extension may be the perfect solution. But if you’re scrambling to enable VPN and cloud authentication to authenticate remote workers, a more flexible solution such as Cloud RADIUS may be key.
Check out our pricing page to see if Cloud RADIUS can fit the needs of your organization.