Why to choose RADIUS over LDAP

The benefits of using RADIUS over LDAP

Image credits : 

Flickr user: theaucitron (CC BY-SA 2.0)

Imagine you have a great idea for a new open source project that would meet some of your company's needs. You know it will be needed at other organizations, as everyone needs some help managing critical infrastructure. You map out an architecture, do some quick test code, and now it's time to add in some authentication code. If it's a web-based tool, support http authentication and you're done. Apache can handle it. If it's Linux-based, support PAM. Done. But what if it's neither?

You might think "We'll make it pluggable and we'll do an LDAP plugin so we can work with Active Directtory or LDAP. Now, on to logging..." Wait. Step back. I want to propose a better authentication protocol than LDAP as the default go-to protocol: RADIUS.

RADIUS is an interesting protocol. It is ubiquitous in the enterprise, but not often used until needed. It is incredibly simple to configure, but misunderstood. It supports more functionality than LDAP, but is infrequently considered by developers that are creating enterprise-oriented software. It is supported by Cisco, Checkpoint, Netgear, Apache, PAM, every two-factor authentication vendor, every VPN provider, etc.

The best reason why RADIUS should be favored over LDAP: an LDAP server considers itself to be the final authority for authorization and authentication; a RADIUS server will split authentication and authorization. Authentication is who you are. Authorization is what you are allowed to do. Splitting them is important because increasingly you need two-factor authentication. You don't have to split them, though. Supporting RADIUS also gets you LDAP.

Splitting authz and authn is a good thing from a security standpoint. It allows you to do user management in your directory rather than in your your authentication server. An HR person could disable a user in the directory and that user would be locked out. It's much better than needing to disable them in two places.

Additionally, there are free and open source server options on both Linux and Windows. Linux has the venerable and robust Freeradius and other options. Windows has NPS, the free Microsoft RADIUS plugin. In addition, there are robust offerings from Cisco and other networking vendors.

Both RADIUS and LDAP are protocols as well as servers in that you can have a RADIUS server and you can have two systems that speak RADIUS but do not perform the functions of a RADIUS server. So, a VPN can validate credentials to a two-factor authentication system using RADIUS. It's not the best setup, but it's possible and dead simple.

RADIUS is quite simple. All you need is the IP address of each system and a shared secret. No BindDN or LDAP URL or anything like that. (I'll say it: I hate configuring LDAP. LDAP is lightweight only in relation to X509.) For developers, adding RADIUS is as easy as adding LDAP. There are open source libraries available such as jRadius.

What about Single sign-on protocols? I wish I could make a recommendation. It appears that OpenID-Connect could be a winner but it's still a long way off. These procotols need a lot of vetting and review to prove their security. I'm sure most of you have removed your "Login with OpenID" option on your websites. Until there are clear winners in the SSO protocols, I hope developers will consider RADIUS. It gives you LDAP and provides more security options.

4 Comments

Igmar Palsenberg

Radius and LDAP serve different purposes. LDAP is a directory, Radius is about authenticating. The fact that you can authenticate using LDAP is a plus, but not it's primary goal. Authentication is the primary goal of Radius.
LDAP's primary goal is to lookup information, the primary goal of RADIUS is authentication. They really can't be compared, even if they serve a common goal.

Picking LDAP is a choice that should be very carefully made : Try putting your mail routing rules in RADIUS. You really can't. You can with LDAP. It's very flexible, but that flexibility comes at at the price of a learning curve.

Vote up!
1
Vote down!
0
nowen

I agree that they serve different purposes as servers. The main goal here is to boost the use of RADIUS as the default authentication protocol for new projects (after some other tool like PAM or http-auth). Or awareness of RADIUS in general. We get a lot of questions like "does your authentication system work with Cisco?". The answer is always, yes, because RADIUS.

Vote up!
1
Vote down!
0
Jon Forrest

"there are robust offering from Cisco" ->
"there are robust offerings from Cisco"

Vote up!
1
Vote down!
0
nowen

Thanks - fixed.

Vote up!
1
Vote down!
0