The first article in our series described the authentication process, whereby the RADIUS server prevents unauthorized users from accessing the system.
In today’s article, we’ll examine the second link in the RADIUS security chain: authorization.
RADIUS security is composed of three components: authentication, authorization, and accounting. These three links in the RADIUS security chain are often referred to by their acronym, “AAA”.
Authorization goes hand-in-hand with the authentication process. Authorization is the process that determines what an authenticated user can or cannot do while on the network.
Metaphorically speaking, the authorization process is used to decide which employees get to use the executive washroom and which don’t.
Why is authorization important?
Imagine what would happen if everyone who logged onto a network were allowed to do anything they wanted. (This scenario is actually far too common among corporate networks.) Users would be able to download and install any software, including viruses, Trojans, and spyware of all kinds. Clients could change the configuration of (or completely disable) firewalls and routers, or they could view and distribute sensitive customer data files. The list goes on and on.
Having rules for who can do what on the network is necessary to prevent accidental (or deliberate) chaos.
Authorization and RADIUS security
How can RADIUS security help with authorization? In a properly configured RADIUS server, authentication and authorization go hand-in-hand. The same process that verifies that a client has the proper credentials to access the network can also provide and enforce authorization. RADIUS authorization parameters define limits for each authenticated user, such as:
- what areas of the network the user can acces
- What network resources (such as servers and file shares) the user can access and to what degree (read-only vs. read-write)
- The length of time that the user is allowed to be on the network
- What type of network access is allowed (local wired access, wireless, access, virtual private network (VPN) access, and so on)
All of these parameters can be stored on the RADIUS server itself, or they can be stored on an external database such as LDAP or Active Directory.
RADIUS security is flexible enough to adapt to every organization’s particular situation.
How is RADIUS Authorization Enforced?
RADIUS security has many options and approaches when it comes to enforcing authorization. These approaches are classified as segmentation, filtering, and entitlement.
- Segmentation divides the network up into chunks, typically by use of a networking trick called virtual local area networks (VLANs). Each VLAN usually has a distinct purpose; for example, one VLAN may be intended for network printers, another for desktop computers, and another for wireless devices. RADIUS authorization can determine which VLANs a client has access to and can prevent access to the wrong ones.
- Filtering enforces access at a higher level of detail, restricting access to specific servers or even individual services on those servers. Filtering can even restrict the type of network traffic (file storage and retrieval, Internet access, etc.) that can be transmitted on a given network segment.
- Entitlements are more detailed still, down to the application level. These RADIUS authorization approaches (and others besides them) can be used individually or in combination. It all depends on the size of the network, the user base, and the level of sophistication required for your RADIUS security.
Implementing RADIUS Authorization
The guiding principle of authorization is the concept of least privilege. Least privilege means that each client is authorized only to the level of access needed to perform its duties and no more. RADIUS security can be the centerpiece of a robust authorization scheme that enforces this concept.
However, even with in-house RADIUS security expertise, RADIUS authorization is not a do-it-yourself job. There are many moving parts in RADIUS authorization, making it perilously easy to overlook something and to weaken the security of your network. For this reason, many organizations choose to bring in the Network RADIUS experts to set up and run their RADIUS security systems or, alternatively, to outsource the whole thing to Network RADIUS. Regardless of the approach used, your RADIUS security apparatus is not complete without an authorization strategy.
In our final article, we’ll review the last link in the chain that is RADIUS security: accounting. The accounting process tracks user activity on the network and is an essential part of your network security bookkeeping. Stay tuned.
Need more help?
InkBridge Networks has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote freeRADIUS, visit our quote page to contact us for a consultation.