When Should You Use a Windows RADIUS Server?
Network Policy Server (NPS) is Microsoft’s implementation of a Remote Authentication Dial-In User Service (RADIUS) server. NPS provides centralized authentication, authorization, and accounting (AAA) capabilities to your network. Under this setup, your network access server (NAS) acts as a RADIUS client and sends all connection requests from users to a RADIUS server running NPS on Windows, which then provides authentication and authorization information back to the NAS. While users are connected to your network, NPS logs their activities as part of its RADIUS accounting role.
What Is the RADIUS Protocol?
RADIUS is a client-server networking protocol with AAA management features that uses the connectionless User Datagram Protocol (UDP) for its transport layer and uses port 1812 for authentication and port 1813 for authorization.
Since UDP does not require a reliable connection across a network, using RADIUS means minimal network overhead. However, this can also lead to request timeouts in case of poor network quality. When this happens, the RADIUS client sends another request to the server. To ensure that RADIUS runs on a secure network connection, there have been past initiatives to make it work with Transmission Control Protocol (TCP), but these have not gone beyond the experimental stage.
Authentication Process
As a client-server networking protocol, RADIUS has client and server components. In a typical network that uses RADIUS, the authentication and authorization process goes like this:
- A NAS serves as a RADIUS client and passes authentication requests to a RADIUS server that runs as a background process on Windows or any other server operating system.
- The RADIUS server authenticates the user credentials and checks the user’s access privileges against its central database, which can be in a flat-file format or stored on an external storage source such as SQL Server or Active Directory Server.
- When the RADIUS server finds the users and their associated privileges in its database, it passes back an authentication and authorization message back to the NAS, which then allows the user access to the network and its array of applications and services.
- The NAS, still acting as a RADIUS client, passes accounting requests back to the RADIUS server while users are connected to the network. These requests log all user activities onto the RADIUS server.
RADIUS supports various authentication mechanisms, including:
- Challenge-Handshake Authentication Protocol (CHAP)
- Password Authentication Protocol (PAP)
- Extensible Authentication Protocol (EAP)
The combined authentication and authorization operation in RADIUS minimizes traffic flow and makes for a more efficient network. RADIUS also supports multi-factor authentication (MFA) using one-time passwords or some other mechanism, which often require clients and servers to pass more messages than normal.
In larger networks, a RADIUS server can also act as a proxy client to other RADIUS servers.
RADIUS or LDAP: Which to Use for Centralized Authentication?
LDAP
Like RADIUS, Lightweight Directory Access Protocol (LDAP) is used for user authentication and authorization. LDAP performs this role by accessing and managing directory services, such as Microsoft’s proprietary Active Directory service. As to which is better depends on your specific requirements.
Since LDAP uses TLS, the connections and messages between client and server are always encrypted. Moreover, since LDAP uses TCP, chances of dropped requests are nil, although this often means more network overhead. LDAP is also simpler to set up than RADIUS.
On the other hand, LDAP does not support user accounting, though this can be accommodated using other tools such as Syslog. It also does not support multi-factor authentication out of the box, though you can use other solutions if you need this feature.
RADIUS
By default, RADIUS does not encrypt any of the other attributes passed between client and server, except for passwords. It does support other authentication mechanisms such as EAP, allowing it to circumvent this weakness. You can also implement other security mechanisms, such as putting servers and clients behind virtual private networks (VPNs), with RADIUS.
Although more complex, RADIUS supports user accounting and MFA, making it ideal for use in large enterprises. However, it is also useful for smaller organizations looking to secure their networks.
Network Policy Server as a RADIUS Server
NPS was known as Internet Authentication Service (IAS) in earlier Windows versions. Starting with Windows 2008, IAS became NPS, with Microsoft adding new features to the component, including Network Access Protection and IPv6 support. NPS works with many types of networks.
To authenticate user credentials on your Windows network, NPS relies on an Active Directory Domain Services (AD DS) domain or the local Security Accounts Manager (SAM) user accounts database. You can use NPS as part of a single sign-on solution when the server running it belongs to an AD DS domain. In this case, NPS authenticates users via the directory service’s user-account database, logging authenticated users into the AD DS domain.
With RADIUS, NPS acts as the central location for user data related to authentication, authorization, and accounting instead of the NAS. If you combine NPS with Remote Access Services, you can use RADIUS to authenticate and authorize users in your remote access networks.
A RADIUS server running NPS provides the easiest authentication mechanism for Windows Servers running on AWS.
Network Policy Server as a RADIUS Proxy
Aside from having NPS as a RADIUS server on Windows, you can also use NPS as a RADIUS proxy client that forwards authentication or accounting messages to other RADIUS servers.
Some scenarios where this use case is useful is if you:
- Provide outsourced network-access services. Then you can forward connection requests to RADIUS servers that your customers maintain.
- Have user accounts that don’t belong to the same domain as the Windows RADIUS server or that belong to another domain with a two-way trust relationship with the NPS RADIUS server’s domain.
- Use a non-Windows account database.
- Have a large number of users requesting connections.
- Provide RADIUS authentication and authorization to your vendors.
How Does Accounting for RADIUS Server Work?
RADIUS Servers are also used for accounting purposes. RADIUS accounting collects data for network monitoring, billing, or statistical purposes. The accounting process typically starts when the user is granted access to the RADIUS Server. However, RADIUS accounting can also be used independently of RADIUS authentication and authorization.
A basic RADIUS accounting process includes the following steps:
- The process starts when the user is granted access to the RADIUS Server.
- The RADIUS Client sends a RADIUS Accounting-Request packet known as Accounting Start to the RADIUS Server. The request packet comprises the user ID, network address, session identifier, and point of access.
- During the session, the Client may send additional Accounting-Request packets known as Interim Update to the RADIUS Server. These packets include details like the current session duration and data usage. This packet serves the purpose of updating the information about the user’s session to the RADIUS Server.
- Once the user’s access to the RADIUS Server ends, the RADIUS Client sends another Accounting-Request packet, known as Accounting Stop, to the RADIUS Server. The packet includes total time, data, packets transferred, reason for disconnection, and other information relevant to the user’s session.
Secure Your Application Access with Parallels RAS
Parallels® Remote Application Server (RAS) has a wide range of features that can help secure access to your applications and data, including support for MFA using any RADIUS server.
Parallels RAS provides high-availability configuration support for two RADIUS servers. High-availability modes for RADIUS servers may be set as Active-Active, to make use of both servers simultaneously or as Active-Passive, for failover purposes.
Moreover, with Parallels RAS, you can create filtering rules for users based on user, IP address, MAC address, and gateway. You can group users and push different Parallels Client settings to your user devices using client policies.
Parallels RAS supports:
- Smart card authentication
- Kiosk mode
- Security Assertion Markup Language single sign-on (SAML SSO) authentication.
Parallels RAS also supports Secure Sockets Layer (SSL) or Federal Information Processing Standard (FIPS) 140-2 protocol encryption in accordance with the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS).
Parallels RAS comes with a standard Reporting Engine that allows your raw data to be transformed into visual and intuitive reports.
Check out how Parallels RAS can help secure your networks!