跳至主要內容
繁體中文

The Security Benefits of RADIUS as a Service for Hybrid Workforces

本技術參考指南說明 RADIUS 即服務如何為分散式場域的混合工作團隊確保網路存取安全。內容涵蓋架構、安全性優勢以及部署步驟,指引如何將地端 RADIUS 基礎設施替換為雲端託管的驗證服務。本指南為飯店、連鎖零售、體育場館和公共部門機構的 IT 經理與網路架構師提供評估並於本季度執行雲端 RADIUS 遷移所需的實證。

📖 9 分鐘閱讀📝 2,171 字數🔧 2 範例3 練習題📚 9 關鍵定義

收聽此指南

查看播客逐字稿
Welcome to this technical briefing from Purple. I am your host, and today we are examining a critical shift in enterprise network architecture: moving from on-premise RADIUS servers to RADIUS as a Service. If you manage IT for a hotel group, a retail chain, a stadium, or any large public venue, you know that securing network access for a hybrid workforce is no longer a peripheral concern. It is central to your operational security, your compliance posture, and frankly, your ability to sleep at night. Today we will cover five areas. First, the context: why traditional on-premise RADIUS infrastructure is struggling to keep pace with hybrid work. Second, the technical architecture of RADIUS as a Service and how it actually works. Third, the specific security benefits you gain. Fourth, practical implementation guidance and the pitfalls to avoid. And fifth, a rapid-fire question and answer section covering the questions we hear most often from IT managers and network architects. Let us start with the context. For two decades, 802.1X authentication relied on physical servers running FreeRADIUS on Linux, Microsoft Network Policy Server on Windows, or Cisco Identity Services Engine on dedicated hardware. These systems worked. They still work. But they require constant attention. You had to patch operating systems, manage certificate chains, configure high availability manually, and build redundancy across multiple servers. In a world where workers move constantly between the office, remote locations, hotel rooms, and client sites, that static, on-premise infrastructure becomes a genuine liability. The problem is compounded by the shift to cloud identity providers. Microsoft NPS, for example, is tightly coupled to Active Directory. It has no native support for Microsoft Entra ID, Google Workspace, or Okta. If your organisation has migrated to any of these cloud directories, you face a painful choice: maintain a parallel Active Directory just to support your RADIUS server, or invest significant engineering effort in custom integrations. Neither option is attractive. RADIUS as a Service changes the equation entirely. It moves the authentication engine to the cloud. You no longer manage the infrastructure; you manage the policies. The provider handles the servers, the patching, the high availability, and the integrations. You define who gets access to what, and the service enforces it. Now let us get into the technical architecture. RADIUS, which stands for Remote Authentication Dial-In User Service, is the protocol defined in RFC 2865. It provides centralised Authentication, Authorisation, and Accounting, what we call AAA, for network access. When a device connects to your WiFi network, the access point acts as a RADIUS client. It forwards the authentication request to the RADIUS server. The server validates the credentials against your identity store and returns either an Access-Accept or an Access-Reject. In a cloud RADIUS deployment, the server is hosted by the provider across multiple geographically distributed data centres. Your access points, whether they are Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, or Ubiquiti UniFi, point to the cloud RADIUS endpoints via secure, encrypted tunnels. The authentication flow is identical to on-premise RADIUS from the access point's perspective. The difference is that the server itself is managed, patched, and scaled by the provider. The most important security enhancement in modern cloud RADIUS deployments is the move to EAP-TLS, which stands for Extensible Authentication Protocol with Transport Layer Security. EAP-TLS is defined in RFC 5216 and provides mutual authentication using digital certificates. Both the client device and the RADIUS server present certificates to each other. This eliminates passwords entirely from the authentication process. A certificate is cryptographically tied to the device and cannot be phished, guessed, or stolen in the way a password can. The second major security capability is dynamic VLAN assignment. When the RADIUS server authenticates a user, it does not just grant or deny access. It also tells the access point which Virtual LAN to place the device in, based on the user's identity and role. A hotel receptionist authenticates and is placed in the front-of-house VLAN with access to the property management system. A housekeeping staff member is placed in a restricted VLAN with internet access only. A guest device is placed in the guest VLAN, completely isolated from all corporate resources. An IoT device, like a security camera, is placed in a dedicated IoT VLAN. This identity-based network segmentation is fundamental to a Zero Trust security model. You are no longer trusting a device because it connected to a particular SSID. You are granting access based on verified identity, and you are limiting that access to only what that identity requires. This is the principle of least privilege applied to network access. Let us also address the compliance angle. PCI DSS version 4.0 requires strong access controls for any network that touches cardholder data. Requirement 8 mandates unique authentication for all users. Requirement 1 requires network segmentation. Cloud RADIUS, with EAP-TLS and dynamic VLAN assignment, satisfies both requirements directly. For GDPR, the centralised audit logging provided by cloud RADIUS gives you a complete record of who accessed the network, when, and from which device. That audit trail is essential for demonstrating compliance and for investigating any potential data breach. Now let me walk you through two concrete implementation scenarios that illustrate how this works in practice. The first scenario is a hotel group. Consider a two-hundred room hotel property. They currently use a shared pre-shared key for their staff WiFi. Every member of staff, from the general manager to the seasonal housekeeping team, uses the same password. When a seasonal employee leaves at the end of summer, the password is rarely changed because changing it means updating every device on the property. This is a textbook security vulnerability. The solution is to deploy RADIUS as a Service integrated with Microsoft Entra ID. The hotel configures its Cisco Meraki access points to use WPA3-Enterprise with 802.1X. Each staff member authenticates using their Entra ID credentials. The RADIUS server reads their role from the directory and assigns them to the appropriate VLAN dynamically. Housekeeping staff are placed in VLAN 10 with access to the housekeeping task management system only. Reception staff are placed in VLAN 20 with access to the property management system. Management are placed in VLAN 30 with broader access. When a seasonal employee's contract ends, their Entra ID account is disabled, and their WiFi access is revoked instantly, across every access point on the property. No password changes required. The second scenario is a national retail chain. Consider a chain with four hundred stores. They currently manage four hundred separate FreeRADIUS instances on local store servers. Each server requires individual patching, monitoring, and maintenance. When a critical vulnerability is disclosed, the security team must patch four hundred servers, often over a period of weeks, leaving the estate exposed during that window. The solution is to migrate to a single RADIUS as a Service instance. All four hundred stores point their HPE Aruba access points to the same cloud RADIUS endpoints. Point-of-sale terminals are authenticated using EAP-TLS with machine certificates pushed via the MDM platform. The RADIUS server places them in a PCI-compliant VLAN, isolated from all other network traffic. Store staff use a separate SSID authenticated via Okta, placing them in a general staff VLAN. The security team now manages one set of policies from a single dashboard. When a vulnerability is disclosed, the provider patches the infrastructure. The retail chain's security team focuses on policy, not plumbing. Now let us cover implementation recommendations and the pitfalls to avoid. Step one is to connect the cloud RADIUS service to your identity provider. For Microsoft Entra ID or Google Workspace, this typically involves authorising an enterprise application. Map your directory groups to specific network policies. Think carefully about your role taxonomy before you start. Getting this right at the beginning saves significant rework later. Step two is to set up certificate deployment for corporate devices. Configure your MDM platform to push client certificates to managed devices. This enables EAP-TLS authentication and removes passwords from the equation entirely. For devices you do not manage, you can use PEAP with a user credential as a fallback, but EAP-TLS should be the target for all corporate-owned devices. Step three is to configure your network hardware. Add the cloud RADIUS IP addresses and shared secrets to your wireless controllers or access points. Always configure both the primary and secondary endpoints to use the provider's built-in redundancy. Step four is to define your VLAN policies. When the RADIUS server authenticates a user, it returns the correct VLAN ID to the access point. Map this out before you deploy. Know which VLAN each user role should land in, and test it thoroughly before rolling out to production. Now, the pitfalls. The most common mistake is a misconfigured firewall blocking UDP ports 1812 and 1813, which are the RADIUS authentication and accounting ports. Always verify connectivity between your access points and the cloud RADIUS endpoints before go-live. The second pitfall is a broken certificate trust chain. If your client devices do not trust the Root Certificate Authority that issued the RADIUS server's certificate, they will silently reject the connection. This can look like a network outage when it is actually a PKI configuration issue. Let us move to the rapid-fire questions. Question one: What happens if our internet connection goes down? If the site loses internet, it cannot reach the cloud RADIUS. However, if the site has no internet, users cannot access cloud applications anyway. For mission-critical local resources, some access points offer local survivability modes. But the primary dependency is your WAN link, and that is true of almost every cloud service your organisation uses. Question two: Is cloud RADIUS compliant with GDPR and PCI DSS? Yes. Centralised authentication with encrypted transport supports strong compliance postures. The audit logs satisfy PCI DSS requirements, and the strict access controls support GDPR principles of data minimisation and access limitation. Question three: Does this work with our existing hardware? Yes. RADIUS is a standard protocol defined in RFC 2865. If your hardware supports 802.1X, and all enterprise gear from Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet does, it will work with any standards-compliant RADIUS as a Service. To summarise the key takeaways. First, RADIUS as a Service replaces on-premise servers with a managed cloud platform, reducing capital expenditure and maintenance overhead. Second, cloud RADIUS integrates natively with Microsoft Entra ID, Okta, and Google Workspace, eliminating the need for complex middleware. Third, it enables dynamic VLAN assignment, ensuring users and devices land in the correct network segment based on their verified identity. Fourth, transitioning to EAP-TLS eliminates the risk of password theft and phishing attacks on your network. Fifth, centralised cloud management ensures consistent security policies across hundreds of distributed venue locations. Sixth, providers handle security patching and high availability. And seventh, cloud RADIUS supports compliance with PCI DSS and GDPR by enforcing strict, identity-based access controls with full audit logging. Your next step is to evaluate your current RADIUS infrastructure. Calculate the true cost of ownership, including licensing, hardware refresh cycles, and the engineering time spent on maintenance. Then, run a proof of concept with a cloud RADIUS provider. You will likely find that the deployment takes hours, not weeks. Thank you for listening. Secure your networks, segment your traffic, and stop managing servers you do not need to own.

header_image.png

執行摘要

向混合工作團隊的轉變暴露了傳統網路安全的一個根本性弱點:地端 RADIUS 伺服器是為員工坐在同一棟大樓並連接到同一個網路的時代而設計的。那個時代已不復存在。如今,您的員工從飯店客房、零售賣場、遠端辦公室和活動場地進行驗證。您的身分識別提供者位於雲端。您的存取點跨越數百個地點。然而,許多組織仍依賴實體 RADIUS 伺服器,這些伺服器需要手動修補、無法與 Microsoft Entra ID 或 Google Workspace 原生整合,且在硬體出錯時會無聲無息地失效。

RADIUS 即服務以雲端原生驗證引擎取代了該基礎設施。您只需將存取點指向雲端端點。服務供應商負責管理伺服器、修補程式和高可用性。您只需管理原則。對於 旅宿 集團、 零售 連鎖店和公共場館的 IT 團隊而言,這一轉變消除了硬體開銷,強制執行基於身分的網路分割,並提供 PCI DSS 和 GDPR 所需的稽核軌跡。

技術深度解析

為什麼地端 RADIUS 面臨困境

定義於 RFC 2865 的 RADIUS 為網路存取提供集中式的驗證、授權和計費(AAA)。每個運行 WPA2-EnterpriseWPA3-Enterprise WiFi 的企業都依賴它。協定本身是完善的。問題在於圍繞其發展的基礎設施模式。

Linux 上的 FreeRADIUS 需要大量的專業知識來部署、強化和維護。Microsoft 網路原則伺服器 (NPS) 與 Active Directory 緊密結合,且不原生支援 Microsoft Entra ID、Okta 或 Google Workspace。Cisco Identity Services Engine (ISE) 提供企業級的原則功能,但需要專用硬體、授權複雜,且需要專業團隊來營運。這三者都需要您手動建立和維護高可用性,通常是透過運行兩台具有資料庫同步功能的伺服器,並在其前端部署負載平衡器。

對於擁有穩定 Active Directory 的單一站點組織,這種模式是可管理的。但對於擁有 50 家物業的飯店集團、擁有 400 家門市的零售連鎖店或擁有分散式校園的大學來說,這將變得難以實行。您要不就是集中化 RADIUS 伺服器並接受來自遠端站點的驗證延遲,要不就是要在每個位置部署伺服器並單獨管理它們。這兩種選擇都無法有效擴充。

RADIUS 即服務的架構

RADIUS 即服務是 RADIUS 協定的雲端型交付模式。協定本身保持不變,遵循 RFC 2865 及其擴充功能。改變的是由誰來維護基礎設施。

當裝置連接到您的 WiFi 網路時,存取點(即 RADIUS 用戶端)會透過安全的加密通道將驗證請求轉發到雲端 RADIUS 端點。雲端服務會根據您的身分識別提供者驗證憑證,並傳回 Access-Accept 或 Access-Reject 訊息,以及動態 VLAN 分配等原則屬性。從存取點的角度來看,驗證流程與地端 RADIUS 完全相同。

architecture_overview.png

雲端服務供應商在多個地理分佈的資料中心營運 RADIUS 伺服器。容錯移轉是自動執行的。如果某個端點變得不可用,流量會自動路由到下一個狀況良好的端點,無需您的團隊進行任何干預。對於在多個地區設有據點的組織,驗證會在最近的雲端端點進行,無論地理位置如何,都能保持低延遲。

IEEE 802.1X 與 EAP 方法

IEEE 802.1X 是基於連接埠的網路存取控制 (NAC) 標準。它會強制裝置在獲取 IP 位址並允許傳輸流量之前進行驗證。RADIUS 是 802.1X 部署中的驗證伺服器。

可延伸驗證協定 (EAP) 定義了憑證的交換方式。雲端 RADIUS 支援全系列的 EAP 方法:

EAP 方法 驗證類型 安全層級 建議用途
EAP-TLS 雙向憑證型 最高 使用 MDM 管理憑證的企業裝置
PEAP-MSCHAPv2 使用者名稱與密碼 中等 舊型裝置或無 MDM 的 BYOD
EAP-TTLS 通道憑證 中等 混合環境
MAC 驗證旁路 (MAB) 裝置 MAC 位址 無法支援 802.1X 的 IoT 裝置

定義於 RFC 5216 的 EAP-TLS 是黃金標準。用戶端裝置和 RADIUS 伺服器會互相出示數位憑證。這種雙向驗證將密碼完全從網路存取流程中消除。憑證在密碼學上與裝置綁定,無法像密碼那樣被網路釣魚、猜測或竊取。對於遭受過憑證型外洩的組織而言,這是目前最直接的技術緩解措施。

動態 VLAN 分配

除了驗證之外,RADIUS 伺服器還會執行授權。當它接受連線時,會向存取點傳回原則屬性,包括要分配給裝置的 VLAN ID。這種動態 VLAN 分配是實現「基於身分的網路」的機制。

飯店接待人員通過驗證後,會被分配到前台 VLAN,並可存取物業管理系統。房務人員會被分配到僅能存取網際網路的受限 VLAN。賓客裝置會被分配到 Guest WiFi VLAN,與所有企業資源完全隔離。IoT 裝置(例如安全監控攝影機)則會被分配到專用的 IoT VLAN。這一切都是根據 RADIUS 伺服器驗證的身份自動進行的,無需針對每台裝置進行任何手動 VLAN 設定。

這是應用於網路存取的最小權限原則。您不會因為某台裝置連線到特定的 SSID 就信任它。您是根據已驗證的身份授予存取權限,並將該存取權限限制在該身份所需的範圍內。若要深入瞭解這如何融入更廣泛的網路存取控制策略,請參閱我們的 網路存取控制系統 指南。

原生雲端身份整合

雲端 RADIUS 在營運上最顯著的優勢在於它與現代身份識別提供商的原生整合。雲端 RADIUS 透過 OIDC、SAML 和 LDAP 等標準協定,直接連線到 Microsoft Entra ID、Okta 和 Google Workspace。當您在身份識別提供商中配置新員工時,他們可以立即驗證並連線到 WiFi 網路。當您辦理員工離職時,您只需在目錄中停用其帳戶,其 WiFi 存取權限就會立即在每個地點的每個存取點被撤銷。

這種即時同步消除了企業 WiFi 中最頑固的安全漏洞之一:已離職的員工仍持有共享的 PSK,或者在其離職時未手動刪除其 RADIUS 帳戶。透過雲端 RADIUS 和雲端身份識別提供商,離職處理只需單一操作,即可立即在整個網路生效。

實作指南

步驟 1:連線您的身份識別提供商

將雲端 RADIUS 服務連線到您的身份識別提供商。對於 Microsoft Entra ID 或 Google Workspace,這通常涉及透過 OAuth 授權企業應用程式,或設定 LDAP 連接器。將您的目錄群組對應到特定的網路原則。在開始之前定義您的角色分類:哪些群組對應到哪些 VLAN,以及每個 VLAN 承載哪些存取權限。在開始時做好這一點可以避免日後大量的重工。

步驟 2:為公司裝置部署憑證

對於公司擁有的裝置,請設定您的行動裝置管理 (MDM) 平台(例如 Microsoft Intune 或 Jamf),以將用戶端憑證推送到裝置。這可以啟用 EAP-TLS 驗證。確保發行 RADIUS 伺服器憑證的根憑證授權單位 (CA) 受到所有用戶端裝置的信任。信任鏈中斷是導致無聲驗證失敗最常見的原因。

步驟 3:設定您的網路硬體

將雲端 RADIUS IP 位址和共用金鑰新增至您的無線控制器或存取點。務必同時設定主要和次要端點,以使用提供商的內建備援機制。確保從您的存取點到雲端 RADIUS 端點的輸出 UDP 連接埠 1812(驗證)和 1813(計費)已開啟。在正式上線前驗證此設定。防火牆規則設定錯誤是部署失敗的第二大常見原因。

雲端 RADIUS 適用於 Cisco Meraki、HPE Aruba、Ruckus、Juniper Mist、Ubiquiti UniFi、Cambium、Extreme 和 Fortinet。設定步驟因廠商而異,但 RADIUS 協定是標準化的,因此核心參數(伺服器 IP、共用金鑰、驗證連接埠)是一致的。

步驟 4:定義 VLAN 原則

在您的 RADIUS 原則引擎中設定動態 VLAN 分配。將每個使用者角色或裝置類型對應到特定的 VLAN ID。在部署到生產環境之前測試每個原則。一個簡單的測試矩陣(每個角色一台裝置、每個角色一個 VLAN,並驗證配置)可以在影響使用者之前捕獲大多數設定錯誤。

最佳實踐

對所有公司裝置強制執行 EAP-TLS。 在您的 MDM 部署允許的情況下,儘快停用 PEAP-MSCHAPv2。PEAP 依賴密碼,而密碼可能會被破解。EAP-TLS 依賴憑證,而憑證則不會。

進行全面區隔。 絕不要將員工、訪客和 IoT 裝置放在同一個子網路中。使用 RADIUS 強制執行嚴格的 VLAN 邊界。這對於在 PCI DSS 規範下處理付款卡資料的 零售 環境,以及保護病患資料的 醫療保健 環境至關重要。

與 WPA3-Enterprise 保持一致。 WPA3-Enterprise 是目前的 WiFi 安全標準,需要 802.1X 驗證。確保您的存取點支援 WPA3-Enterprise,並將其設定為員工網路的最低安全標準。

定期稽核您的 RADIUS 記錄。 雲端 RADIUS 提供集中式稽核記錄。每週審查驗證失敗事件。來自特定裝置或地點的失敗次數激增,是設定錯誤或潛在攻擊的早期指標。

測試容錯移轉。 至少每季一次,模擬主要 RADIUS 端點故障,並驗證是否能透過次要端點繼續進行驗證。記錄測試結果。這是一個簡單直接的測試,但大多數團隊在真正需要之前從未執行過。

對於在包括海洋或偏遠地區等複雜環境中部署 WiFi 的場所,請參閱我們的 在 Starlink 上設定 Captive Portal 指南,以瞭解有關 WAN 依賴性的考量因素。

疑難排解與風險緩釋

驗證逾時

如果裝置無法通過驗證,請先檢查您的存取點與雲端 RADIUS 端點之間的連線。驗證輸出 UDP 連接埠 1812 和 1813 是否已開啟。現代防火牆上的深層封包檢測可能會延遲或捨棄 RADIUS 封包。如果您遇到逾時,請檢查您的防火牆原則,確認是否有規則可能正在檢測或限制流向 RADIUS 端點的 UDP 流量。

憑證信任鏈失敗

如果使用 EAP-TLS,請確保用戶端裝置信任發行 RADIUS 伺服器憑證的根 CA。如果信任鏈中斷,裝置將會無聲地拒絕連線,以防止中間人攻擊。這會表現為連線失敗,且沒有明顯的錯誤訊息。請檢查 RADIUS 伺服器記錄中的 EAP-TLS 握手失敗。請透過 MDM 將 Root CA 憑證部署到所有受管理的裝置。

WAN 依賴性

Cloud RADIUS 需要穩定的網際網路連線。如果 WAN 連結中斷,驗證請求將無法到達伺服器。對於關鍵任務的本地資源,請評估支援本地存活能力或驗證快取的存取點。對於大多數部署而言,WAN 依賴性是可以接受的,因為沒有網路的站點本來就無法存取雲端應用程式。

共用金鑰不相符

每個存取點或無線控制器都必須設定為具有正確共用金鑰的 RADIUS 用戶端。若金鑰不相符,來自該裝置的所有驗證請求都會被直接丟棄。如果特定存取點失敗而其他存取點成功,請驗證該裝置上的共用金鑰設定。

投資報酬率 (ROI) 與業務影響

比較圖表.png

RADIUS 即服務的商業效益建立在三大支柱上:降低資本支出、減少營運開銷以及提升安全態勢。

在資本支出方面,您無需再支付購買、授權和更新實體伺服器的費用。一個最低可行性的本地部署 RADIUS 方案需要兩台伺服器以實現高可用性、作業系統授權,且每三到五年就需要進行一次硬體更新。對於一個擁有 50 家物業的飯店集團來說,這代表了整個集團龐大的硬體投資。

在營運開銷方面,您的工程團隊不再需要花時間修補 Windows Server、排除 FreeRADIUS 設定故障,或在實體基礎架構上管理憑證更新。這些時間可以重新投入到能直接改善安全態勢的安全原則工作中。

在安全態勢方面,轉向 EAP-TLS 和動態 VLAN 分配可實質上減少攻擊面。憑證竊取是導致網路入侵的首要原因。從網路驗證流程中消除密碼可直接解決此風險。集中式稽核記錄支援符合 PCI DSS v4.0 和 GDPR 規範,從而降低合規稽核的成本和複雜性。

對於管理 交通運輸 樞紐或高人流量場所的組織而言,能夠從單一儀表板在所有位置實施一致的安全原則,是一項顯著的營運改善。Purple 在全球 80,000 多個實際營運場所中運作,並在 2024 年處理了 4.4 億次登入(Purple 內部數據,2024 年)。支援如此規模的基礎架構在設計上即為雲端原生。

若要更廣泛地瞭解 WiFi 分析和網路智慧如何與業務成果相結合,請參閱我們的 WiFi 分析平台

參考資料

[1] IEEE 區域與都會網路標準 - 基於連接埠的網路存取控制。IEEE Std 802.1X-2020。 [2] IETF。遠端使用者撥入驗證服務 (RADIUS)。RFC 2865。1997。 [3] IETF。EAP-TLS 驗證協定。RFC 5216。2008。 [4] IronWiFi。雲端 RADIUS 伺服器的優勢:為什麼企業正在將驗證移至線上。2026 年 2 月。 [5] SecureW2。雲端與本地部署 RADIUS:哪一個更好?2026 年 5 月。 [6] Portnox。RADIUS 即服務。2026。 [7] PCI 安全標準委員會。PCI DSS v4.0。2022 年 3 月。 [8] Purple。內部平台數據:4.4 億次登入,80,000+ 個場所。2024。

關鍵定義

RADIUS

Remote Authentication Dial-In User Service. A networking protocol defined in RFC 2865 that provides centralised Authentication, Authorisation, and Accounting (AAA) management for users connecting to a network service.

IT teams use RADIUS as the central decision engine to verify whether a device or user is allowed onto the corporate WiFi network. It sits between the access point and the identity provider.

802.1X

An IEEE Standard for port-based Network Access Control. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN, forcing them to authenticate before receiving an IP address.

This is the standard that underpins enterprise WiFi security. Without 802.1X, any device that connects to the SSID gets network access. With 802.1X, every device must prove its identity first.

EAP-TLS

Extensible Authentication Protocol - Transport Layer Security. An authentication method defined in RFC 5216 that requires both the client device and the RADIUS server to present digital certificates, providing mutual authentication without passwords.

Considered the gold standard for enterprise WiFi security. Certificates are deployed to corporate devices via MDM. EAP-TLS eliminates the risk of password theft and phishing attacks on the network.

PEAP

Protected Extensible Authentication Protocol. An EAP method that tunnels a username and password exchange inside a TLS session. Less secure than EAP-TLS because it relies on passwords.

PEAP-MSCHAPv2 is widely deployed in legacy environments. IT teams should plan a migration to EAP-TLS for corporate devices, using PEAP only as a fallback for unmanaged or BYOD devices.

Dynamic VLAN assignment

A process where the RADIUS server instructs the access point which Virtual LAN to place a device in, based on the user's verified identity and role, rather than the SSID they connected to.

Essential for network segmentation in multi-role environments. A single 'Staff' SSID can securely separate housekeeping, reception, and management traffic into different VLANs with different access rights.

AAA

Authentication, Authorisation, and Accounting. The three functions performed by a RADIUS server: verifying identity (authentication), determining what access is permitted (authorisation), and recording session data for audit purposes (accounting).

IT teams and auditors use AAA as a framework for evaluating network access control. Cloud RADIUS delivers all three functions from a managed service.

WPA3-Enterprise

The current WiFi security standard for enterprise networks, requiring 802.1X authentication via a RADIUS server. It offers improved cryptographic strength over WPA2-Enterprise, including 192-bit security mode for high-security environments.

IT managers should configure WPA3-Enterprise as the minimum security standard for staff networks. Guest networks can use WPA2 or open authentication with a captive portal.

Network Access Control (NAC)

A security approach that enforces policy on devices seeking to access network resources, combining endpoint security assessment, identity authentication, and network enforcement.

RADIUS is a foundational component of NAC. Cloud RADIUS extends NAC to distributed, multi-site environments without requiring on-premise infrastructure at each location.

Captive portal

A web page that a user of a public-access network must interact with before being granted internet access. Typically used for Guest WiFi to collect consent or display terms of use.

Captive portals handle unauthenticated guest access, while 802.1X handles authenticated staff access. The two mechanisms operate on separate SSIDs and VLANs.

範例

A 200-room hotel needs to secure its staff network across housekeeping, reception, and management, while keeping Guest WiFi entirely separate. They currently use a shared PSK for the staff network, which has not been changed in two years.

Deploy RADIUS as a Service integrated with Microsoft Entra ID. Configure the Cisco Meraki access points to use WPA3-Enterprise with 802.1X. Housekeeping staff authenticate using their Entra ID credentials; the RADIUS server reads their directory group and dynamically assigns them to VLAN 10 (housekeeping task system access only). Reception staff are assigned to VLAN 20 (property management system access). Management are assigned to VLAN 30 (broader access). Guest WiFi remains on a separate SSID with a captive portal, isolated on VLAN 40. When a seasonal staff member leaves, their Entra ID account is disabled, instantly revoking WiFi access across all access points on the property.

考官評語: This approach eliminates the shared PSK vulnerability and the risk of former employees retaining access. Dynamic VLAN assignment ensures a compromised housekeeping device cannot reach the property management system. Using cloud RADIUS removes the need for a physical server in the hotel's limited IT closet. The integration with Entra ID means offboarding is a single action with immediate network-wide effect.

A national retail chain with 400 stores needs to ensure PCI DSS compliance for its point-of-sale terminals. They currently manage 400 separate FreeRADIUS instances on local store servers, each requiring individual patching.

Migrate to a single RADIUS as a Service instance. Configure HPE Aruba access points at all 400 stores to authenticate POS devices using EAP-TLS with machine certificates pushed via Microsoft Intune. The cloud RADIUS server authenticates the certificates and places POS devices into a PCI-compliant VLAN (VLAN 30), isolated from all other network traffic. Store staff use a separate SSID authenticated via Okta, placing them in a general staff VLAN (VLAN 20). Shoppers on the guest network are isolated on VLAN 40. The security team manages all policies from a single dashboard.

考官評語: Centralising the RADIUS infrastructure eliminates the maintenance burden of patching 400 local servers. Using EAP-TLS for POS devices removes passwords entirely, preventing credential theft. This architecture satisfies PCI DSS v4.0 Requirement 8 (unique authentication) and Requirement 1 (network segmentation). When a vulnerability is disclosed, the provider patches the cloud infrastructure rather than the retail chain's security team patching 400 servers over several weeks.

練習題

Q1. Your university campus currently uses Microsoft NPS on Windows Server to authenticate students via PEAP-MSCHAPv2. The institution is migrating to Google Workspace and wants to decommission all on-premise servers within 12 months. What is the most secure and operationally efficient architectural change for the WiFi authentication infrastructure?

提示:Microsoft NPS does not natively support Google Workspace. Consider what replaces both the server and the authentication method.

查看標準答案

Migrate to RADIUS as a Service with native Google Workspace integration. The cloud RADIUS service connects directly to Google Workspace via LDAP or OIDC, eliminating the need for Active Directory or NPS. Simultaneously, transition managed student and staff devices from PEAP-MSCHAPv2 to EAP-TLS by deploying client certificates via the institution's MDM platform. This removes passwords from the authentication process and ensures that only managed, trusted devices can access the staff and student networks. The migration can be phased: deploy cloud RADIUS alongside NPS, migrate one SSID at a time, then decommission NPS once all devices are using the new service.

Q2. A stadium with 80,000 capacity requires secure WiFi for corporate staff, ticketing terminals, media press members, and event-day contractors. How should the network be configured using cloud RADIUS to enforce appropriate access for each group?

提示:Consider how RADIUS handles authorisation, not just authentication. Each group needs different access rights.

查看標準答案

Deploy a single 802.1X SSID for all authenticated groups. Configure the cloud RADIUS service to use dynamic VLAN assignment based on the user's role in the identity provider. Corporate staff are assigned to VLAN 10 with access to internal systems. Ticketing terminals, authenticated via machine certificates (EAP-TLS), are placed in a restricted VLAN 20 with access only to the ticketing platform. Media press members are assigned to VLAN 30 with high-bandwidth internet access but no access to internal systems. Event-day contractors are assigned to VLAN 40 with limited internet access only. A separate open SSID with a captive portal handles fan and attendee guest access on VLAN 50, isolated from all other traffic.

Q3. During a security audit, it is discovered that your organisation's FreeRADIUS server has not received a security patch for eight months. The team has been reluctant to patch it because the last update caused a two-hour authentication outage. How does migrating to RADIUS as a Service resolve both the security risk and the operational risk?

提示:Consider the division of responsibility in a managed service model and how providers handle patching without downtime.

查看標準答案

RADIUS as a Service shifts the responsibility for OS patching and vulnerability management to the provider. The provider operates highly available, multi-region clusters, allowing them to patch individual endpoints and roll updates progressively without causing authentication downtime. Your team no longer needs to schedule maintenance windows or accept the risk of a patch-induced outage. The security risk is eliminated because the provider patches the infrastructure as vulnerabilities are disclosed, often before the CVE is widely publicised. The operational risk is eliminated because the provider's SLA guarantees uptime regardless of patching activity. Your team's role changes from infrastructure maintenance to policy management.

繼續閱讀本系列

將 RADIUS as a Service 與雲端目錄(Azure AD 和 Google Workspace)整合

本技術參考指南詳細介紹了如何將 RADIUS as a Service 與雲端目錄(Microsoft Entra ID 和 Google Workspace)整合,以進行企業級 WiFi 驗證。內容涵蓋從地端 NPS 到雲端原生 RADIUS 的架構轉變、基於憑證的 EAP-TLS 驗證部署,以及在旅宿業、零售業和公共部門環境中保障無線存取安全的營運最佳實踐。對於已投入雲端身分識別的 IT 經理和網路架構師,本指南彌合了目錄管理與實體網路安全之間的鴻溝。

閱讀指南 →

如何使用 Cloud RADIUS 實作 802.1X 驗證

本技術參考指南提供了一個全面的架構,用於在分散式企業環境中部署結合 Cloud RADIUS 的 802.1X 驗證。本指南詳細介紹了架構、EAP 方法選擇、部署順序以及降低風險的策略,旨在確保網路存取安全,同時消除地端基礎設施的維運開銷。

閱讀指南 →

從地端 RADIUS (NPS) 遷移至 RADIUS 即服務 (RADIUS as a Service)

本權威指南詳細介紹了從地端 Microsoft 網路原則伺服器 (NPS) 遷移至雲端原生 RADIUS 即服務 (RADIUS as a Service) 模型的技術架構、實作方法論和業務影響。它為 IT 主管和網路架構師提供了實用框架,以降低營運開銷、消除單一故障點,並確保分散式場域中企業驗證的安全。

閱讀指南 →