Traditionally, the process of authenticating certificates for network access is independent of the user directory. And in a normally-functioning network environment, this is perfectly acceptable. Certificate-based authentication is ironclad and protects the network from unauthorized entry.
Only in very rare, specific circumstances does the lack of communication between the RADIUS and directory become an issue. In response, SecureW2 has introduced a solution to the vulnerability by implementing User Lookup with Dynamic RADIUS.
RADIUS Authentication with User Lookup
The usual process for authenticating certificates follows these basic steps:
- The user’s device enters the effective range of the secure network and automatically sends their certificate for authentication.
- The RADIUS server and device perform the TLS handshake, confirming that both the user and server certificate are trusted (as well as check the Certificate Revocation List, CRL).
- The user is then authorized for network access.
This process happens without any interaction from the user and protects against an array of over-the-air attacks. But as stated above, specific circumstances can thwart this foolproof defense.
When a user leaves an organization, they are removed from the directory and their certificates are manually added to the CRL. If a certificate is missed and not added to the CRL, the now unauthorized user can still gain access to the network.
While this is a rare alignment of instances, it can occur due to human error, which is the weakest link in any cybersecurity system. The 2019 Verizon Data Breach Investigation Report found that 34% of data breaches were conducted by internal actors. Ensuring that a user is removed from the network properly is far too important to be left up to people.
A Dynamic RADIUS Solution
SecureW2’s Cloud RADIUS now offers a solution to directory communication problem: Dynamic RADIUS. During the authentication process, Dynamic RADIUS will communicate directly with the directory and execute User Lookup. It uses AMQP (Advanced Message Queuing Protocol) to allow the RADIUS to communicate with our Dynamic Policy Engine. Essentially, the network gains the benefits of LDAP authentication without having to resort to credential-based authentication.
Allowing the RADIUS to communicate with the directory directly garners a number of benefits beyond enabling Identity Lookup. First off, it eliminates the CRL vulnerability we discussed above. When a user leaves the organization and is erased from the directory, they cannot be authenticated because User Lookup will yield no results. Even with a valid certificate, the user will not be able to authenticate.
Next, Dynamic RADIUS allows for a user’s permissions, policies, etc., to be updated and propagated in real time. A situation that occurs often is a user in an organization is given a promotion, but needs a whole new set of network permissions to reflect their new status. In the past, they would have to be issued all new certificates to reflect this. But with Dynamic RADIUS, their directory entry can simply be edited, eliminating the need to issue all new certificates and revoke the old ones.
Lastly, it creates a security redundancy in the authentication process. In most circumstances, adding redundancy to a process is something to be avoided, but not in cybersecurity. Requiring a user to pass the CRL check and User Lookup process adds an extra layer of security to protect your entire network.
Overall, the benefits of Dynamic RADIUS and User Lookup are massive. It simplifies the management of certificates throughout a user’s tenure with the organization. A direct communication link is created between the RADIUS and Identity Provider for a secure authentication process that can’t be matched. And real-time certificate/policy editing adds even more efficiency to certificates.
SecureW2’s certificate solutions cannot be matched, from streamlined onboarding to efficient management tools. User Lookup with Dynamic RADIUS is another network enhancement that is updating wireless networks to operate more efficiently and securely. It’s also the only way to achieve passwordless EAP-TLS authentication with cloud IDPs like Google, Okta, and Azure.
Check out our pricing page to see if our certificate solutions are right for your organization.