InkBridge Networks - A new name for Network RADIUS

Don't "Set it and Forget it"

Keeping your RADIUS network secure

So you decided that whatever you were using for network security wasn’t getting the job done… Either it didn’t scale with the growth in your user base, devices, or network design, or it was hindering your organization’s productivity. Or maybe you suffered a security breach. Whatever the case, you decided to make the jump to RADIUS authentication, and you’ve implemented a RADIUS server.

You set it up to protect your network, including 802.1X security for your WiFi network. Everyone who needs access has sufficiently secure passwords to log in. Now you’re done, right?


Not so fast. Network security is a journey, not a destination. Simply implementing a RADIUS server is not enough; you still have some work to do to keep your network secure. Let’s have a look at the up-front and ongoing activities you need to do to maintain the security of your RADIUS network.There is a lot of advice out there that email addresses are not identifiers. Even Internet2 has a document explaining why email is not an appropriate user identifier.

Review your RADIUS server implementation

First, take a look at your RADIUS server implementation to make sure you haven’t missed anything critical:


  • Do you have a security certificate? Security certificates are necessary for client software to verify that they are actually connecting to your RADIUS server (and not a clever impostor, such as with a man-in-the-middle attack) and to establish a secure (i.e., encrypted) connection to it. There are several options available for purchasing security certificates, or you can create your own. Each option has advantages and disadvantages, so if you haven’t implemented one (or more) already, do your homework and get one in place.


  • Are clients verifying your RADIUS server? The flip side to having a security certificate is setting up the client software to verify against it. This is normally done at the operating-system level, and many operating systems enable verification by default. However, it’s worthwhile to check your standard-issue computers to ensure they actually are verifying server certificates.


  • Got multiple DCs? If your organization uses Microsoft Active Directory, your RADIUS server should be set up to authenticate users against their AD credentials. If you have more than one domain controller (DC) — and you should, for redundancy and system resilience — you need to make sure any RADIUS server configuration changes are propagated to all of the DCs, or a DC failure can cause connection problems.

The big picture: Ongoing vigilance


Outside the RADIUS server itself, there are a number of things you need to do on an ongoing basis to keep your network secure.


  • Don’t skip the security updates. Your RADIUS server software and all your operating systems have regular patches and updates to address newly discovered vulnerabilities. Too many organizations put off implementing these updates, thinking there will be some slack time when it can be done. Pro tip: There is never any slack time, and the longer you put it off, the more time-consuming it becomes to install all the accumulated updates. If you don’t have the resources to install patches as soon as they come out, schedule a day each month or quarter for each server to be updated.


  • Set up security standards and policies. If your organization doesn’t already have written security policies and standard procedures in place, now is the time. Policies for password complexity and expiration, local administrative access, and standard security procedures for deploying new hardware should all be written and enforced.


  • Use encrypted connections. Unless everything that’s important to you always stays under your own roof, you can assume that at some point your network traffic flows to networks and devices that are outside your control, such as cloud services or wide-area networks. If it’s out of your control, you can’t be certain it’s secure. Make sure the data that goes outside your building is encrypted.


  • Segregate visitor wireless access. Modern WiFi systems can enable separate access for staff and visitors. Your visitor access can have a separate SSID; separate, administer single-use or time-limited RADIUS authentication credentials with 802.1X security; and restrict access to the Internet only or to certain resources, such as printers or specific file shares. You don’t have to give visitors the keys to the kingdom on your WiFi network.


If this is all new to you, you aren’t alone. But a breach of your network is not a question of if; it’s a question of when. You owe it to your business to keep its network as secure as possible. Network RADIUS can help not only with the implementation of a RADIUS server solution, but also with the ongoing care that’s needed to keep it secure.

Need more help?


InkBridge Networks has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us for a consultation.