Blog Header App Center Highlights Secure Networks Access Control with RADIUS

Welcome to the fifth edition of our UCS App series! This time, we’re focusing on the RADIUS app, the invisible network guardian keeping your IT infrastructure secure. RADIUS ensures that personal devices don’t become weak links and protects your network from malware.

Functionality of the RADIUS-App

RADIUS (Remote Authentication Dial-In User Service) is a client server protocol that handles authentication, authorization, and accounting for users connecting to a network. Think of RADIUS as a gatekeeper managing access to both wireless and wired networks. It verifies user accounts, groups, and devices:
  • Access Control: RADIUS checks if users are legitimate before they get network access. This is crucial for organizations aiming to ensure secure and controlled network access.
  • Authentication and Authorization: RADIUS manages the authentication and authorization of user accounts and groups, especially relevant for WLAN networks where easy access should not compromise security (Bring Your Own Device, BYOD).
  • Seamless Integration: RADIUS is easy to set up, integrates smoothly into the UCS management system, and supports block and allow lists for user, group, and device objects.

How Does RADIUS Work?

RADIUS is implemented as a client server architecture. The RADIUS server verifies whether a device or user is authorized to enter. It handles authentication (checking if the login credentials are correct) and authorization (determining what rights the user has). Clients, like WiFi access points and network switches, communicate with the RADIUS server on behalf of end devices such as laptops, tablets, or smartphones.

RADIUS ensures that only the right people have access. The software handles user authentication and determines who can access which data or services. Additionally, the service logs who did what and when. The great thing is that your users’ credentials (like domain passwords) are always available but securely managed in a central location—the directory service.

With RADIUS, you significantly enhance your network security and can easily implement concepts like Bring Your Own Device (BYOD) for businesses or educational institutions. This allows students and employees to securely connect their own devices to the network.

There are various proprietary and Open Source RADIUS implementations. Univention Corporate Server uses FreeRADIUS.

Installing and Configuring RADIUS

You can install the new security system via the Univention App Center. After clicking Install, you can select a machine from the UCS domain through a drop-down menu and proceed. Once all components are installed, the FreeRADIUS service starts. This guardian connects to the LDAP directory service and receives information about the permissions of objects (accounts, groups, devices).

To allow WiFi devices like laptops, smartphones, or tablets to access the network via RADIUS, the access point (AP) must first be configured appropriately. It needs to support the IEEE-802.1x standard (for network authentication). In the AP configuration, you then enter the RADIUS server details.

Configuring Access Points with RADIUS

For RADIUS to do its job perfectly as a security expert, all access points (AP) need to be registered. There are two ways to configure the access points: either through a configuration file or via a computer object in the Univention Management Console (UMC).

On all RADIUS servers, you will find the file /etc/freeradius/3.0/clients.conf. You can edit this file with a text editor of your choice (with root privileges). For each AP, create a client entry that includes the IP address and a password. Enter a name, and tools like makepasswd can help generate the password. After making these settings, restart the RADIUS service:

systemctl restart freeradius.service

If you want a configuration that applies to the entire domain, it’s best to use the UMC. Open the Devices / Computers module and create a new computer object for each AP. The IP client type is suitable for access points. Edit the new object and activate the RADIUS authenticator checkbox on the Options tab. Then switch to the RADIUS tab and activate the Allow network access checkbox. Enter a shared secret. You usually don’t need to change the NAS type and Virtual server properties.

After clicking Save, the Univention Directory Listener writes the configuration to /etc/freeradius/3.0/clients.univention.conf and restarts the RADIUS server. New access points will have access to the RADIUS server only after this restart.

Screenshot of the UCS portal. It shows the RADIUS app in the Computer IP Client AP01, as explained on this page.

Setting Up Access for Accounts and Groups

By default, no one has network access—you have to explicitly grant it. Think of it like an exclusive club: the bouncer (RADIUS) only lets in people on the guest list. To grant individual accounts access, open the UMC Users module, switch to the RADIUS tab on the left sidebar, activate the Allow network access checkbox on the right, and click Save.

To grant access to groups, the process is quite similar. First, navigate to the RADIUS tab and activate the Allow network access checkbox on the right. Save your changes. Once this is done, every member of that group will automatically be granted access to the network.

Screenshot of the UCS portal. It shows the RADIUS app in the Domain Users group, as explained on this page.

Additional Security with Custom RADIUS Passwords

By default, users authenticate with their domain password. However, administrators can add an extra layer of security by setting up custom passwords for RADIUS—like adding an extra lock on the door. To enable this extra protection, you need to set the UCR variable radius/use-service-specific-password to true. You can access the Univention Configuration Registry via the UMC, in the System section. This additional security measure ensures that even if a domain password is compromised, unauthorized access to the network is still prevented by the extra RADIUS-specific password.

To allow users to set their RADIUS password through the Self Service app, set the UCR variable umc/self-service/service-specific-passwords/backend/enabled to true. Once this is enabled, the Self Service portal will feature a new tile called Password Wireless LAN which helps users generate a random password.

Tip: You can define how users’ self-generated passwords should look. There are several UCR variables that start with password/radius/quality. For example, you can set the minimum length, the number of letters and digits, and more. This ensures that the passwords are strong enough to protect your network from unauthorized access—like a strong, secure vault.

Screenshot of the UCS portal for creating a wireless LAN password, as explained on this page

Filtering by MAC Addresses with RADIUS

By default, RADIUS grants network access to all devices, provided users know the correct codeword. However, you can tighten the access control by restricting it to specific devices using MAC filters. This ensures that only authorized devices can connect.

To implement this, set the UCR variable radius/mac/whitelisting to true. Upon the next network access attempt, the device’s LDAP attribute macAddress is checked to see if it is authorized. This way, you ensure that only approved devices are allowed onto the network.

But what about printers, network projectors, interactive whiteboards, and similar devices that don’t support 802.1X authentication but still need network access? This is where MAC Authentication Bypass (MAB) comes into play. In this mode, the hardware address serves as the username, allowing these devices to log in—like a special backdoor for important devices. The manual provides detailed instructions on how to activate and set up MAB in the chapter MAC Authentication Bypass with computer objects. This keeps your network secure while ensuring all necessary devices remain connected.

Dynamically Assigning Virtual Networks with RADIUS

With the RADIUS app, you can dynamically assign devices to virtual networks. Virtual Local Area Networks (VLANs) split existing physical networks into multiple logical networks. This setup is ideal for large environments where separate networks for users and guests are required. Isolated subnets not only enhance security but also improve performance.

If you have set up virtual networks for your UCS domain, you can use the RADIUS service to assign accounts and groups to specific VLANs. RADIUS handles user authentication and returns a VLAN ID in response. To do this, assign a VLAN ID to a group via the RADIUS tab. Additionally, set a default VLAN ID using the UCR variable freeradius/vlan-id, which will be used if an account is not assigned to any group.

For more information on this topic, refer to our blog article VLANs and RADIUS: How to Configure Virtual Networks for Univention Corporate Server (UCS). Detailed configuration instructions and RADIUS log files can also be found in the manual (chapter RADIUS).

With the RADIUS app, you can transform your network into a secure fortress. RADIUS acts as a strict gatekeeper, allowing access only to authorized users and devices. By configuring access points, using MAC filters, and setting custom RADIUS passwords, you significantly enhance your network’s security.

Additionally, RADIUS offers the flexibility to dynamically assign devices to virtual networks (VLANs), which is particularly beneficial in large environments, providing extra security and improved performance. With comprehensive configuration options and seamless integration into the UCS environment, you have all the tools you need to optimally protect your network.

 

Got any questions or comments? Leave a comment and share your experiences and ideas—here on the blog or in the Forum Univention Help!

Image source: Icon created by Freepic from flaticon.com

Use UCS Core Edition for Free!
Download now

Leave a Reply

Your email address will not be published. Required fields are marked *