Radiator as Steel-Belted RADIUS Replacement

Recently we have received many inquiries on whether Radiator AAA would be a good solution for replacing Juniper’s Steel-Belted RADIUS. As the aforementioned SBR has reached End of Engineering date in February, its support ending in September and with seemingly no alternative from the OEM, many operators are looking to replace their existing SBR setups with alternative established robust AAA solution. If you are among these companies, Radiator AAA is the solution for you.

Why choose Radiator AAA?

Known for its reliability and flexibility, Radiator AAA has been in the market for decades. Radiator is an actively developed and support AAA server with RADIUS and TACACS+ functionalities. With modules, Radiator AAA can also be complemented with Diameter relay, SIM-based authentication and other mobile network functionalities.

Like SBR, Radiator AAA Server offers support for both Linux, Windows and Solaris installations with various different operating systems (See our Supported Platforms for more information. Radiator has extensive support for different databases and authentication backends (SQL-based, LDAP, AD etc.) as well as support for MFA solutions with TOTP capable authenticators and tokens (Google and MS authenticator, Yubikey, DIGIPASS etc.)

The Radiator technical team consists of experts with vast experience in migration from other AAA solutions. We offer migration support and configuration assistance so you do not need to worry about meeting project schedule before SBR EoSL. Radiator can integrate with existing database and in nearly all cases no changes to schema are needed.

Like Steel-Belted RADIUS, Radiator AAA has multi-vendor support and can be installed flexibly on different platforms on physical or virtual machines. With Radiator, you can compile your AAA use cases under one product: RADIUS, Diameter, TACACS+, SIGTRAN, you name it, we have it!

Want to know more?

For any questions or other inquiries about Radiator as SBR replacement, please contact sales@radiatorsoftware.com

What’s next after IETF 116 for Radiator?

Recently, Radiator Software has been heavily involved in Internet Engineering Task Force (IETF) working groups. We see IETF as an important forum to discuss important developments that benefit our customers as well. Last month, IETF meeting 116 was organised in Japan, and Radiator Software participated in the meeting.

Now the IETF 116 has concluded and the newly rechartered RADIUS EXTensions (radext) working group is now organising its work items. The first drafts called for radext WG adoption are:

• RFC 6614 RadSec update: Transport Layer Security (TLS) Encryption for RADIUS
• RADIUS encryption and FIPS compliance enhancements, efficiency updates: RADIUS Version 1.1
• Guidance for using pre-shared keys as an alternative for certificates with (D)TLS: RADIUS and TLS-PSK

The RadSec update moves RadSec from experimental to standards track and updates TLS and encryption recommendations to cover TLSv1.3 and the current best practices.

FIPS compliance is achieved by removing the use of MD5 with RADIUS hop-by-hop attribute value obfuscation and message integrity signing. This frees the authenticator field in the RADIUS messages header and allows its re-use as a long identifier field. The current short identifier field is a major cause of problems with RADIUS, especially when used with connection oriented protocols, such as RadSec that runs over TCP. When identifiers run out, a new connection and TLS session is needed. This causes significant overhead on busy RADIUS systems.

Where RADIUS traffic is secured with TLS, many organisations can benefit from the possibility of using pre-shared keys (PSKs) instead of having to set up certificates. The use of PSKs with (D)TLS is mentioned in the current RFCs, but specific guidance of their use is now getting updated and expanded.

What does the above mean for Radiator users?

We will start implementing the new drafts and do testing, including interoperability testing, with other vendors. We will also participate in the radext working group activities to help advancing the drafts to RFCs. When the drafts stabilise, we’ll make our implementation available as part of Radiator. If you are interested in early testing, please let us know.

The work is just starting and the final number of drafts, their names and content, and resulting RFCs, are subject to change.

EAP Method Update (emu) working group has a number of drafts that are getting near to being published as RFCs.

One of the EMU drafts defines updates for using TLSv1.3 with PEAP, EAP-TTLS and some other TLS-based EAP methods. TLSv1.3 for PEAP and EAP-TTLS is already implemented in Radiator 4.27.

Another EMU working group draft defines updates and clarifications for TEAP, for which our customers have also shown a lot of interest. Radiator implementation for TEAP aims directly for the revised version and it is under development and interoperability testing.

Would you like to know more?

If you are interested more about these and other developments with Radiator, you can always contact us at info(a)radiatorsoftware.com. We are always delighted to hear about different use cases of our customers, and to provide assistance when needed.

Enterprise network authentication with Radiator

Is your Wi-Fi password written on the conference room wall? Can your guests just plug a cable in and be connected to your enterprise network? These are situations where Radiator could help your network security. Once a company grows out of the founder’s garage, gains some employees and takes up an office space, this office in most cases needs a networking solution for both the company internal network and access to the internet for employees. At the beginning these might be resolved with one router with open Wi-Fi and a shared folder over the internet. However, companies should implement some form of security for their enterprise network. The goal for these implementations is that the right people have access to the right networks and other people do not. And once these basic needs are met, then flexibility and user experience should also be taken into account.

Radiator as enterprise network AAA Server

Enterprise network authentication is a bread-and-butter use case for Radiator. The key differentiator in the market for Radiator is flexibility. Radiator offers a variety of options for when it comes to what the users are authenticated against (SQL database, LDAP or Active Directory, REST etc.), as well as what hardware your enterprise uses for their network. Radiator also offers multi-vendor support for network devices.

This is a basic setup which can be altered depending on your organisation’s needs. Multi-factor authentication with TOTP or HOTP can also be added to the solution for enterprises who want to add another layer of security to their network. Radiator supports a great variety of options for TOTP and HOTP implementations. On the other hand, Radiator can also be used for network device administration as a TACACS+ server (more information about this use case in our previous blog post). Another key differentiator for Radiator is access to active and competent support. Both Radiator email and telephone support grant you straight access to experienced Radiator developers so you can be sure your issues are resolved swiftly. While many company flagship RADIUS server products like Cisco’s ACS and Junipers Steel Belted RADIUS have been announced End-of-Life, Radiator is actively developed and supported.

Managed solution for Wi-Fi Authentication

Radiator also offers enterprise Wi-Fi authentication as a service: Radiator Auth.Fi. Radiator Auth.fi is a RADIUS based Wi-Fi authentication cloud service for authenticating network users and guests. It provides user authentication as a service for Wi-Fi, wired network and VPN. Subscription based cloud service works globally, one service covering all customer locations. Radiator Auth.fi also provides an easy way to connect to eduroam and govroam. The starting requirements for this service is RADIUS capable Wi-Fi controller. The starting solution enables simple username-password authentication for both employees and guests. This solution can be customised to include certificate authentication in collaboration with certificate provisioning solutions and PKIs such as for example SCEPman, Microsoft NDES, Intune. For more information about the managed solution for Wi-Fi authentication Radiator Auth.Fi, please see the previous blog post and our Radiator Auth.Fi product presentation.

Want to know more?

If you would like to know more about how Radiator can help your organisations enterprise network AAA needs, please contact our sales team via e-mail sales@radiatorsoftware.com or via our contact form.