![]() ![]() ![]() It can look up both user and device certificates in your IDP, regardless of whether your IDP is more user-centric or device-centric. The type of lookup is primarily determined by the identifiers the RADIUS uses to verify the user or device.Ĭloud RADIUS was designed from the ground up for use with certificates, which can be issued to both users and devices. With that being said, let’s take a closer look at user-based RADIUS lookup and device-based RADIUS lookup individually. If the RADIUS service in question supports the type of lookup.What information is stored, and where it’s stored in your directory.So, whether user or device lookup will occur depends on a handful of factors: Active Directory stores both user and device objects together.Google generally stores only user objects, but can store device objects in Chromebook environments.Azure Active Directory can store both user and device objects.Okta, which specifically stores user objects.Some IDPs are designed to store information tailored to users or devices. Which type of lookup is performed mostly depends on the directory/IDP and MDM your organization uses. There are two different types of lookup the RADIUS can perform: user or device. This latter definition – that RADIUS lookup occurs post-authentication – is what we’ll be working with for the purposes of this article. It’s essentially an extra step added to heighten the security of your certificates. In other words, once Cloud RADIUS has verified the certificate isn’t on the Certificate Revocation List (CRL), it goes the extra mile by checking the user or device in your IDP. With digital certificates, lookup technically occurs after authentication is completed. Should the account no longer exist or the password be invalid, the password authentication itself will fail.Ĭloud RADIUS, however, was designed specifically for use with digital certificates, which are more secure than passwords. This is because, in order to authenticate in the first place, the account status must be checked every time the username and password are entered. When you’re using password-based credentials, the lookup step is already baked into the authentication. RADIUS Lookup with Certificates vs Passwords Lookup can occur either during or after authentication depending on the type of credentials you’re using. ![]() In a nutshell, RADIUS lookup simply means that the RADIUS is actively looking up the user or device in your Identity Provider (IDP)/directory. The end result is that it can apply policy changes the moment you update a user’s or device’s information in your directory.īut how, exactly, does RADIUS lookup differentiate between users and devices, and why does it matter? What is RADIUS Lookup? The RADIUS server can verify the identity by performing a lookup in the directory during authentication.Ĭloud RADIUS is a RADIUS service that is capable of performing both device-based and user-based lookups at the moment of authentication. The certificate is locked on the hardware of a device, confirming Device Trust and establishing a connection with an identity. That’s why most organizations rely on certificate-based RADIUS authentication. Alas, things aren’t that easy administrators often find themselves needing to specifically distinguish between devices and users, especially in an organization with both BYOD/unmanaged devices and managed devices. If all the users in your network fit into one single group, RADIUS authentication would be simple. ![]()
0 Comments
Leave a Reply. |