How RADIUS Authentication, Authorization, and Change of Authorization (CoA) Secures Remote Access
Remote Work / Work From Home has emerged as one of the hottest topics, primarily driven by the Covid-19 pandemic. According to Google, searches for these terms reached 100% of their popularity last year. Also, Gartner HR Survey found that 88% of business organizations all over the world mandated or encouraged all their employees to work from home as the virus started to spread at exponential rates. Furthermore, about 97% of the organizations immediately canceled all work-related travel.
ZTNA & SASE considered the gold standard for remote access
The most practical solution: NAC with RADIUS and VPN
RADIUS Authentication and Authorization
RADIUS Authentication and Authorization are covered under multiple RFCs, perhaps the most commonly referred to is RFC-2865. The RFC describes RADIUS as:
“A protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server.”
In other words, RADIUS-enabled network devices will authenticate users against RADIUS. On the back end of RADIUS is typically Active Directory / LDAP or sometimes just a local database.
RADIUS Change of Authorization (CoA)
RADIUS Change of Authorization (CoA) is also covered under multiple RFCs, but most notably under RFC-3576 and RFC-5176. It is described as:
“A currently deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, allowing dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session.”
In short, RADIUS CoA allows permissions to be changed dynamically. This allows admins to ensure that when a device experiences a change in status, the permissions match the status of the device.
Remote Access Use Cases
To satisfy this use case, RADIUS can be utilized to verify a user’s (or computer’s) identity against an authentication server such as Active Directory/LDAP. If the user/computer is successfully authenticated, access to the corporate/internal network is granted. If not, access is denied.
For the Authorization use case, RADIUS can optionally be configured to assign specific privileges to a user/computer during authentication based on the response from the authentication server. Not always, but most commonly, this is based on which group the user or computer is a member of in the database. This is not to be confused with Change of Authorization which occurs after authentication.
Change of Authorization (CoA)
In this use case, RADIUS can optionally be configured to perform a Change of Authorization, commonly referred to as CoA, if instructed to do so by an external server such as a Network Access Control (NAC) policy server. Most commonly, this is used to change the level of access/permissions because something has changed on the device such as a security setting. The status of these settings when compared to the policies defined in the policy server is often referred to as “posture”. If there is a change in posture of the device, typically a CoA is performed.
RADIUS Server Network Integration
Remote Access Enforcement by Genian NAC
Authentication: Genians VPN Enforcement Against Unauthorized User
Authorization: Genians VPN Enforcement for Privileged access
Change of Authorization by Genians VPN Enforcement
The Right Solution for remote access
Genian NAC Built-in RADIUS and VPN
RADIUS is a standards-based, vastly deployed solution across organizations of all sizes. Network Access Control combined with RADIUS and VPN infrastructure is a widely adopted solution for controlling network access for remote workforces while at the same time, ensuring only authorized users can access the internal network and validating the security posture of end user devices. The same privileges and security policies assigned while inside the physical boundaries of an organization should also be assigned when users are working remotely. A solution that ensures these policies can be configured and monitored within a single system is a critical component of any Cybersecurity plan.
The Genian NAC Built-In RADIUS Server is capable of performing Authentication, Authorization and Change of Authorization (CoA) functions. For more information, refer to this short 5 minute video covering RADIUS Authorization policies or, for more detailed configuration instructions, please view the documentation pages associated with this feature.
Brett is a Cisco CCNP and has over 25 years of experience in networking. During the last 15 years he has specialized as an SME in Designing and Deploying Network Access Control solutions. Prior to focusing on NAC, Brett served as a Cryptologic Technician in the U.S. Navy as well as providing network consulting services such as Enterprise-scale WAN projects for financial institutions and data center BGP connectivity to Service Providers.