RADIUS: still software after all these years, thanks to Windows user authentication

by Matthew Gast

Most wireless network security is now based on 802.1X, EAP, and RADIUS. Wireless networks often drive the adoption of RADIUS. Even though it's been around for what seems like forever, I've frequently had to assist in setting up a new RADIUS system before installing a wireless network.

Many wireless networks need to authenticate users against a Windows user database. In the Windows world, a RADIUS server can look up accounts in one of two ways. An operating system call can fetch user credentials from the security subsystem, or the request can get passed over the network to look up accounts. The local system call option is straightforward. If the RADIUS server is installed on a domain controller, the server process issues a system call, gets the user credentials, and does the authentication.

Installing software on a domain controller can be hard, though. Domain controllers are very important, so when they run, most people are reluctant to touch them in any way. The larger the organization is, the more likely it is that there will be change control procedures that get in the way, too. So, the net is that there's a built-in preference to use network-based user credential lookup.

In Windows NT domains, the network protocols have been thoroughly reverse engineered by the Samba team, and the understanding they've given the world has allowed any RADIUS server vendor to look up NT domain accounts over the network, even from a Unix process. For example, the Radiator data sheet lists "Native Windows NT user database and domains (even from Unix!)" as a supported authentication method.

In an Active Directory network, the protocols are still closed. Microsoft's Internet Authentication Server (IAS) can fetch credentials across the network using Active Directory communications, but no other RADIUS server can build that function. Instead, they need to run on a domain controller, pass the request down to the authentication subsystem on the domain controller, which then sends the lookup request through Active Directory. As an illustration, the previously-linked Radiator data sheet notes that Active Directory lookup is only possible on Windows 2000.

(As an aside, the Active Directory indirection creates a cost advantage for the Microsoft RADIUS server in most installations. Both third-party RADIUS servers and IAS need to run on Windows Server, but IAS has no additional cost over the Windows Server license.)

So, network administrators have a choice: use IAS, use a third-party RADIUS server on a domain controller, or run Active Directory in compatibility mode. The last option is generally not viable for many reasons. The bottom line is that if you want to use Active Directory for user accounts, be prepared to dedicate a domain controller for it, or run Microsoft's IAS.

Practically speaking, if you need to talk to a Windows user database, the need to run third-party RADIUS servers on a domain controller effectively prevents them from running on anything other than Windows. (It also helps make IAS more attractive, but that's another post entirely.) At least one RADIUS server vendor has an "appliance" that is based on Windows 2000--I wonder if the need to talk to talk to Active Directory figured in to choosing the operating system platform?