Many organizations and educational institutions allow users to work on their personal laptops, tablets and smartphones. Bringing Your Own Device (BYOD) is popular because it reduces the financial burden on businesses and gives users a greater freedom of choice as well as their familiar working environment. Before users connect to the school or corporate Wi-Fi with their personal devices, administrators should think about security so that the devices do not become a gateway for malware.
Three times A: Authentication – Authorization – Accounting
RADIUS (Remote Authentication Dial-In User Service) is a tool for authenticating device access to networks and takes care of the three A (Triple A):
RADIUS first determines whether a user is the one he claims to be (authentication), for example by checking user names and passwords. After a successful login, a user receives certain rights (authorization), for instance access to data or services. RADIUS can also take care of billing (accounting) and log the transferred data volume or access frequency.
Client and RADIUS server
RADIUS is implemented as a client-server architecture. The RADIUS server is the central authentication server to which other authentication services can turn. It checks user names and passwords and provides parameters for the connection to the client. The RADIUS server takes these from its own configuration files, from databases or directory services in which the access data is stored.
RADIUS can thus ensure that only authorized users can access a network. It is possible to restrict access to certain terminal devices. The Extensible Authentication Protocol is often used to transmit authentication data (user names and passwords).
FreeRADIUS in the Univention App Center
There are several free and proprietary RADIUS solutions. In the Univention App Center, we provide the Open Source representative FreeRADIUS for use in Univention Corporate Server (UCS). The RADIUS service is configured to connect to the LDAP directory service, which provides the access data.
We have equipped our FreeRADIUS app with lock and unlock lists, that you can use to specifically unlock user, group and device objects for this service — just a mouse click away in the UCS management system.
If RADIUS is to take care of Wi-Fi authentication, the corresponding access point must use 802.1x (“WPA Enterprise”) for authentication. The RADIUS server must also be registered for the Wi-Fi access point for authentication. Users can then log on to the Wi-Fi using the access data stored on the RADIUS server.