AuthenticationWorld.com

The business of authentication

Authentication - Wireless



RADIUS



Most modern wireless networks do user authentication using Remote Authentication Dial-In User Service (RADIUS) protocol.  RADIUS handles the overall authentication process of the user's session on the wireless device as well as also handling the authorization and auditing. 

Typically, when you logon to your ISP using a wireless device, you are required to provide authentication information.  Often, this uses Extensible Authentication Protocol (EAP).  The type of authentication you use is determined by the EAP authentication method.  There are many different EAP methods.  This can range from the use of an id and password (very insecure), to digital certificates, security tokens and even biometrics.

The RADIUS system takes the EAP Authentication Method, challenges the user with the appropriate authentication method, receives the authentication response and then verifies it, often against an enterprise LDAP directory. If the authentication is successful, the RADIUS server will then authorize IP addresses, the tunnelling protocol used to create virtual private networks, etc.  Further, the RADIUS server keeps tracks of when a user session begins and ends. 

Voice Over Internet Protocol (VOIP)



Many VOIP providers also use RADIUS at least for the authentication purposes.  The RADIUS server is used to pass logon credentials of when a session begins and ends (Session Initiation Protocol or "SIP") to a SIP Registrar.  This normally involves using digest authentication.  The VOIP is then passed to the RADIUS server. 

Wireless Authentication Challenges



Many wireless deployments continue to use the least secure authentication methods - id and password.  The use of this results in very insecure communications between the enterprise and the wireless device.  If you are forced to use this, then my advice is to lock down what the user can access and severely restrict the information the user can obtain.  Use a network security appliance like Caymas to check the wireless device platform and ensure it is up to date re software updates and then restrict access to network and applications.

For senior executives, who do require fairly open access to the applications and information systems via their wireless device, issue them with something like a secureID from RSA one time password generator and have the executives be required to enter this in order to authenticate their wireless device to the network.  This reduces the risk that the user on the end of the wireless device is not the identity you issued the id and password to.  

CAVEAT EMPTOR re the type of wireless authentication device you use.
 
Document Authentication

Password Authentication Single Sign On Authentication Access Control Authentication Authentication-Enterprise Security Authentication Strength Authentication Transaction
Authentication Management User Authentication Authentication Federation Biometric Authentication PKI Authentication Token Authentication Wireless Authentication Document Authentication Authentication - Outsourcing