Authentication has become a principal concern for IT managers. With identity theft becoming a popular crime, and hackers constantly honing their attack mechanisms, companies are constantly looking for ways to ensure that only authorized users access important data. The Remote Authentication Dial In User Service (RADIUS) has been an authentication mechanism available to companies since the Internet started to become popular a decade ago. Even though RADIUS can be helpful, inertia and shortcomings with its authentication mechanism has limited its use.
RADIUS includes use of a certificate server, an authentication mechanism where users are issued passes that enable them to access enterprise networks. “Many companies do not turn RADIUS security on,” noted Craig Mathias, principal at market research firm Farpoint Group. Sometimes, users are not aware of the security check and in other cases, they simply do not make the effort to put it in place.
Hole in the Radius
A few companies have been leery of deploying RADIUS because they see its security limitations, which revolve around how certificates are distributed. Because certificate data is sensitive, companies need to guard it with the same level of intensity found with items, such as e-commerce transactions. In many cases, firms rely on items like Secure Sockets Layer, to encrypt data as it moves from place to place.
RADIUS includes encryption functions, but they were not well designed, some experts say. With RADIUS, encryption keys are transported within the network protocol. Consequently if a hacker intercepts a message as it travels from a user to the certificate server, the intruder can decrypt the packets and the authentication information. They then have a certificate, can use it to masquerade as a legitimate user, gain access to the enterprise network, and start attacking corporate data.
This limitation has been well known in the wireless world. “There have been instances where intruders have driven past a home or office in search of a wireless connection,” said Eric Ouellet, a vice president at Gartner Group.
Once they find one, hackers use RADIUS’s security limitation to break into the network and start using an individual’s account or sifting through sensitive data. Breaking into a wired network is also possible but a bit more difficult. A hacker would have to physically be near the network, literally cut into it, and then use a product like a protocol analyzer to capture the users data so it can be mimicked.
Vendors have been looking at ways to solve the problem. The IEEE 802.11x standard, which includes the Extensible Authentication Protocol (EAP), was designed to help close up the security holes. It outlines a way that vendors can change the way certificate information is sent to users. Vendors have taken the framework and extended it so there are a handful of different techniques to provide users with certificate data.
Five Ways to Extend RADIUS Security
The EAP-TLS (Transport Layer Security) relies on a public-key infrastructure (PKI), which has been used in many organizations. EAP-TLS requires both user and server digital certificates and supports strong mutual authentication that eliminates the possibility of a dictionary attack on a password.
EAP-TTLS (Tunneled Transport Layer Security) eliminates client-side certificates. It’s intended for organizations that cannot enforce a strong password policy, but want to avoid the management complexity of client-side digital certificates. Instead, EAP-TTLS passes user credentials through an encrypted tunnel each time the user accesses the network. EAP-TTLS can be required in organizations that wish to retain a non-EAP RADIUS infrastructure, such as those running Microsoft Active Directory. Such enterprises must front-end the RADIUS server with a TTLS server, which will convert EAP requests to legacy authentication methods.
PEAP (Protected EAP) is similar to EAP-TTLS. The main difference is that PEAP supports just Windows XP and 2000 operating systems natively, while TTLS supports many more (including several Microsoft handheld platforms) operating systems natively.
EAP-MD5 is not generally used on wireless networks, because it does not support mutual authentication. This technique verifies the client to the network, but not the network access point to the client. Thus, a client could unwittingly associate with a faux access point. However, EAP-MD5 can be used as the client authentication algorithm within the tunnel in TTLS and PEAP.
LEAP, which comes from Cisco Systems, is designed for homogeneous environments where only Cisco access points are deployed. LEAP supports mutual authentication and passwords, but is somewhat prone to offline dictionary attacks.
Plenty of Choices
The wide variety of options provides users with more choices. “The 802.11x protocol was designed to be extensible, so it makes sense that vendors have are finding different ways to differentiate their products,” Farpoint Group’s Mathias told TechNewsWorld. One problem is the different authentication mechanisms do not interoperate, so users with heterogeneous network equipment may find it difficult to locate a plug-and-play method to close up RADIUS’s authentication hole.
While users may be puzzled at which option is best, a growing number are recognizing the need for the protocol. “Since vendors continue to build upon the authentication features that RADIUS uses, I expect the protocol to gain more acceptance in the market,” noted Jon Oltsik, senior analyst, Information Security at market research firm Enterprise Strategy Group.