Workplaces become more remote and mobile while individuals are increasingly equipped with (private) mobile devices. In this context it is good to know about RADIUS, because private end devices require simple access to an organization’s network. At the same time you need to avoid that these devices open the doors for malware or leakage. RADIUS is such an instrument for the construction of secure, decentralized work structures and equally a powerful tool for the authentication of mobile device accesses to networks.
In the following, we like to give you a brief understanding of what RADIUS is and how you can use it with UCS.
What does RADIUS actually stand for?
Remote Authentication Dial-In User Service (RADIUS for short) is a client server protocol used for the authentication, authorization, and accounting (Triple A system) of users who connect to and use a network. RADIUS was first described in RFC 2058 and RFC 2059 (RFC stands for Requests for Comments, a collection of descriptions and definitions for various protocols and services on the Internet).
There is now a range of different proprietary and free Radius implementations available. For use with UCS, we decided on the Open Source RADIUS server “freeRADIUS”.
How does a RADIUS server function?
The RADIUS server is the central authentication server to which different IT services turn for authentication. A RADIUS server can thus take on the authentication, in other words the checking of the user name and password of the respective user of the service for these services. In addition, it also provides parameters for the connection to the client, which the RADIUS server takes from its own configuration files, configuration databases, or directory services, in which login data such as the user name and password are stored. In the case of UCS, the LDAP functions as a directory service providing the login data.
Where can RADIUS be employed?
The RADIUS protocol is predominantly employed in large companies and networks such as schools. As an increasing number of mobile end devices from teachers and pupils are used in classes, it is critical to ensure that only authorized users have access to schools’ internal networks. In this context we like to recommend the very interesting report about the schools in Kassel, Germany. They managed to successfully set up a central identity and access management for all 72 schools with UCS and use RADIUS to safely connect all mobile devices and users.
Apart from the above scenario, RADIUS can also be used to restrict access to certain end devices. The EAP (Extensible Authentication Protocol) protocol is often used for the communication of the authentication data (user name and password). For the classic use of RADIUS WLAN authentication, the corresponding WLAN access point must be configured in such a way that it uses 802.1x (“WPA Enterprise”) for authentication. The WLAN access point must also have entered the corresponding RADIUS server for authentication. Login to the corresponding WLAN with the user login data stored in the RADIUS server is then possible.
…and where is RADIUS used in UCS?
In the Univention App Center, RADIUS is available in its own app, which provides the Open Source RADIUS server “freeRADIUS” for UCS. The configuration of the server is already integrated in the app and is performed via black and white lists. This makes it possible to enable user, group, and end device objects for this service. This is controlled via the corresponding control boxes on the objects in the UCS management system.
Authorized users can authenticate themselves with their standard domain login data. As such, the integration of RADIUS is also particularly suited to bring your own device (BYOD) concepts. These concepts allow users’ mobile end devices access to the IT network. At the same time, however, it is important to ensure that only authorized users with approved devices are allowed access. You can read more on this topic in our blog article “Brief introduction: Bring Your Own Device (BYOD)”. BYOD concepts are taking on an ever greater role as a result of the increasing mobility of employees and the rise in decentralized workstations. In addition to companies, educational institutions can also benefit enormously from the mounting of pupils’ and teaching staff’s user devices, although they also present a particularly high attach potential at the same time.
Further information on the configuration of the RADIUS app in UCS can be found in the UCS manual.