RADIUS and 802.1X Authentication Protocols
Cloudessa supports a comprehensive set of RADIUS and 802.1X authentication protocols. All of these protocols include a shared secret between the RADIUS client and the RADIUS server. Typically RADIUS clients are WiFi Access Points or Controllers, VPN’s or firewall devices.
- Older, non–802.1X compliant protocols include:
Password Authentication Protocol (PAP) – The user enters a username and a password. The password is encrypted using the RADIUS shared secret and then the username and the encrypted password are sent to the RADIUS server, the server verifies them against a user store. The password may be stored in the user store in plaintext or as a hashed value. If the verification is successful, Accept message is sent back to the RADIUS client. PAP is one of the oldest and mostly widely used protocols in wired networking. It is also used in wireless networks for Captive Portal authentication using web forms, and for the EAP–TTLS/PAP protocol suite.
Challenge Handshake Authentication Protocol (CHAP) – is more secure than PAP. With CHAP, the server sends a random “challenge” string to the client, along with the hostname. The client uses the hostname to determine the appropriate secret, combines it with the challenge and returns the information to the server. The server acknowledges the client, and permits access if the correct result is received. In such a way the password is never communicated over the network, improving security over PAP.
MS–CHAP v1 and v2 – is a Microsoft version of CHAP. MS–CHAP is an option in the Microsoft implementation of Point to Point Tunneling Protocol (PPTP).
MAC Authentication Bypass – important protocol which uses the MAC address of a device as the username and the password. Although this protocol is not particularly secure it is widely used for low security environments, such as guest access. Typically this protocol is emplemented by wired Layer 2 switches and Layer 2/3 gateways.
Digest is a widely used username/password protocol for Voice–over–IP systems.
MSISDN is a RADIUS protocol variation where Mobile Subscriber Integrated Services Digital Network–Number (MSISDN) is used as the authentication credential. This protocol is used by telecom RADIUS servers.
Newer, 802.1X compliant protocols are described below. For 802.1X the user client (supplicant), typically installed on a laptop or wireless device, authenticates to the RADIUS server through the Authenticator, such as Access Point or wired Ethernet switch. The Authenticator plays the role of the relaying party helping the Supplicant and the RADIUS server exchange messages. Once the authentication is complete, the RADIUS server sends Accept message to the Authenticator, and the user is permitted to use the network.
802.1X protocols typically include a combination of a secure tunnel, and then the inner authentication protocol which is used over the secure tunnel once the secure connection is established. The secure tunnels include Microsoft PEAP, TTLS and TLS. PAP, CHAP or MS–CHAP are typically used as inner authentication protocols.
PEAPv0 / MS–CHAPv2 – this protocol is the most widely supported Wi–Fi authentication protocol, it used Microsoft PEAP as secure tunnel and MS–CHAPv2 as the inner authentication protocol. It is supported by Microsoft, Apple, Android and Blackberry devices. The limitation of this protocol is that the password needs to be stored on the server side in plaintext and cannot be hashed. Another limitation is that this protocol does not work with external web services, such as Google Apps, which typically can verify the password, but will not give out the password.
EAP–TTLS / PAP – this protocol is uses Microsoft TTLS as secure tunnel and PAP as the inner authentication protocol. The password can be stored in hashed form, one can also use this protocol to authenticate against external web services. This protocol is supported natively on Android, Linux and Windows 8. On Apple devices, it is switched off by default and needs to be enabled. On older versions of Windows third party software such as SecureW2 needs to be installed to enable the protocol. A typical price of this third party software is $20–$50 per laptop.
EAP–TTLS / MSCHAPv2 – not frequently used combination of TTLS and MSCHAPv2
Cisco LEAP – Cisco proprietary protocol. Used in older Cisco hardware.
EAP–MD5 – Older protocol, not frequently used.
One of the main reasons for the ubiquitous use of RADIUS in access networks is the flexibility of the RADIUS attributes to enable the application of a consistent set of access security policies across different types of access gateways, from different vendors.
Standard RADIUS Attributes define how an access gateway is configured for a particular users session. RADIUS attributes carry specific authentication and authorization details.
For example, to initiate a user session, the access gateway sends Access–Request packets to a RADIUS server. The initial packet contains several attributes that identify the user, such as username, password and other identifiers.
If the authentication is successful, the server responds with the Access–Accept packet that contains attributes that define the user session, such as VLAN and bandwidth limits.
RADIUS is extensible. In addition to the standard RADIUS attributes, networking vendors incorporate specific RADIUS attributes to add new capabilities for communication with the RADIUS server.
These attributes are contained in a RADIUS dictionary file. Vendor–specific dictionary files contain a definition of RADIUS attributes that are used by each vendor.
With Cloudessa RADIUS, you can select the level where access is authorized: you can define attributes at the individual user level, at the group level, or at the Virtual RADIUS server level.
Cloudessa frequently updates the vendor–specific RADIUS dictionary options to ensure that the latest files are available.
Captive Portal Authentication
Cloudessa includes a powerful set of tools to build Captive Portals. These Captive Portals are web–based and hosted by Cloudessa. Cloudessa utilizes the UAM (Unified Access Method) standard and the Meraki EXCAP protocol to integrate with a wide variety of WiFi hardware, including Cisco, Meraki, Ruckus, Motorola, Aruba and others.
Cloudessa Captive Portal can include a number of authentication options, in particular:
- Social network login using Facebook, Twitter, and LinkedIn.
- Google Apps authentication
- Login with PayPal and the corresponding billing/payment capabilities
- SAML–based authentication utilizing Secure Assertion Markup Language. Examples of supported SAML providers are Ping Identity, Okta, Microsoft ADFS, and OneLogin.