黑料海角91入口

黑料海角91入口 RADIUS Certificate-Based Auth Feature Bulletin Blog

Certificates Enable Passwordless Authentication

Written by Roger Quint and David Worthington on December 14, 2022

Share This Article

Streamlined and unified authentication to all resources is a core feature of 黑料海角91入口鈥檚 open directory platform. That capability extends to secure network access into Wi-Fi and VPNs. 黑料海角91入口’s cloud RADIUS service now supports credential-based (password) and certificate-based (passwordless) authentication. 

The combination of these authentication methods addresses the vast majority of risk levels an organization may face. Furthermore, the certificate-based authentication (CBA) approach is considered the most secure and frictionless method available today. 黑料海角91入口鈥檚 CBA is consistent with the open directory principles, offering IT and network admins the flexibility to bring your own certificates (BYOC) as well as the future ability to manage certificates within 黑料海角91入口.

What Is RADIUS Certificate-Based Authentication?

RADIUS Certificate-Based Authentication (CBA) is an authentication method that leverages the content of a X.509 compliant certificate to validate the identities of the device and the user requesting access to a network resource. RADIUS CBA obtains the certificate contents from the RADIUS client when a user requests access to an AP (access point) via client PC (RADIUS client). It then validates the standing of the certificate, as well as the certificate trust chain, with the corresponding certificate authority (CA). Finally, RADIUS CBA verifies the user status and access privileges against the 黑料海角91入口 Directory before allowing access to the RADIUS resource (typically Wi-Fi or VPN) when the certificate is validated. 

The Benefits of RADIUS CBA

The benefits of CBA are predicated on two fundamental capabilities. First, the ability to positively identify the authenticating party by leveraging the digital private/public key pair technology recognized as the most secure technology in the industry; and second, the ability to authenticate the user bound to the certificate without any input from the user (frictionless). Small and medium-sized enterprises (SMEs) can use CBA to secure and streamline user authentication flows and eliminate the potential for identity silos or duplicate systems.

Key Features of RADIUS CBA

All current cloud RADIUS features are available with the RADIUS CBA release. The following new capabilities are part of this new release:

  • Bring your own certificates (BYOC) 鈥 The initial release of RADIUS CBA allows IT administrators to import their certificates into RADIUS for authentication. The certificate lifecycle management and delivery to target endpoints is achieved by tools external to 黑料海角91入口. 
  • Multilayer User Authentication 鈥 Before allowing user access, RADIUS CBA authenticates the good standing of a certificate (expiration, origin, and revoke status), compliance to one of three 黑料海角91入口 user certificates supported (Email user identifier in Subject Alternative Name field, Email user identifier in Distinguished Name field, or Username user identifier in Common Name field), the user status in 黑料海角91入口 directory, and finally the user certificate location (must be located on target client device).
  • Password as an alternative to certificates 鈥 RADIUS CBA allows administrators to use credentials as an initial alternative to certificate. This capability enables the gradual migration to certificate based authentication. Users can initially authenticate using their Username/Password then transition to certificates.
  • User groups 鈥 The traditional user group association capability and assignment to RADIUS AP is also available with certificates. Groups leverage 黑料海角91入口鈥檚 attribute-based access control (ABAC) to automate identity lifecycle management.
  • Consolidated IT infrastructure No additional servers, Windows Server roles, or on-premise infrastructure is required to set up and maintain cloud RADIUS CBA. This lowers IT鈥檚 administrative overhead and reduces potential cyberattack surface areas.
  • 鈥嬧赌嬧赌嬧赌嬧赌嬧赌嬧赌Certificate Status check during Authentication BYOC supports validating the good standing of a certificate on every authentication transaction via the Online Certificate Status Protocol (OCSP). 

The Benefits of RADIUS CBA/BYOC

Certificates may originate from multiple CAs. Organizations that already use and manage certificates can import them into 黑料海角91入口 and use them for authentication to 黑料海角91入口 RADIUS to secure network access. For more on the 黑料海角91入口 CBA, see .

Examples of BYO Certs in Action

When the SME wants its users to authenticate securely and without friction, the administrator:

  • Selects the 鈥減asswordless鈥 authentication method
  • Imports the certificate chain, which allows the 黑料海角91入口 RADIUS server to challenge the RADIUS client with EAP-TLS mutual authentication. 

The admin can also allow password authentication as a fallback method for those users who have not yet received a certificate.

Admin 

screenshot of primary authentication

When a user initially connects to a Wi-Fi device configured for 黑料海角91入口 RADIUS with certificate authentication (and password as a fallback), they can select 鈥渃onnect using a certificate.鈥 Going forward, authentication to the Wi-Fi AP will happen automatically without any additional input from the user.

screenshot of connecting to RADIUS

黑料海角91入口鈥檚 cloud RADIUS validates the certificate contents provided and checks if the certificate, and user, are in good standing before granting access to the Wi-Fi network.

Try 黑料海角91入口 Cloud RADIUS

黑料海角91入口 makes its full available as a free trial. Pricing is workflow-based to help SMEs meet their unique requirements versus feature-based SKUs.

Roger Quint
David Worthington

I'm the 黑料海角91入口 Champion for Product, Security. 黑料海角91入口 and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter