SafeNet Trusted Access (STA) provides different options for integrating with RADIUS-based applications. These options also eliminate the requirement for having IPsec VPN tunnels to connect to the RADIUS server. This article highlights these different options and outlines considerations for choosing the one that best matches your needs.

Securing RADIUS traffic over the public internet

It is important to consider the security of the RADIUS traffic while it is carried through the public network. An attacker could intercept the RADIUS traffic between your data center and the STA server that is hosting the RADIUS server, which could lead to a leak of RADIUS request and response information.

This type of attack can occur because the RADIUS traffic is protected by the RADIUS shared secret and a hiding mechanism that is based on a combination of stream cipher and md5 hash, rather than a standard encryption scheme. In particular, in PAP mode, the password data is protected by the RADIUS shared secret, and in MSCHAPv2 mode, the password data is further protected by the MS-CHAP authentication protocol.

STA offers RADIUS integration options that are designed to protect your traffic from this risk. One integration option is based on the RADIUS PEAP (EAP-MSCHAPv2) protocol, which secures the information that is transported through the use of a TLS connection. Other integration options use the SafSafeNeteNet agents that are built for RADIUS integrations and are deployed on your premises. These agents interconnect with your RADIUS client and transport the traffic to STA using a proprietary security protocol.

Deployment options for RADIUS integration

The following RADIUS integration options are available:

• Connect your RADIUS client directly to STA and use the RADIUS PEAP protocol: Use the RADIUS PEAP (EAP-MSCHAPv2) protocol. This option tunnels a MSCHAPv2 request in a secure TLS connection. Your RADIUS client needs to support PEAP.

• Connect your RADIUS client to one of the SafeNet RADIUS agents: To use the agents, terminate the RADIUS traffic in your data center by configuring an on-premises RADIUS server with a SafeNet RADIUS agent. Thales offers two agents for RADIUS integrations. Both agents support the same protocols. The difference between the agents is the deployment environment:

  • SafeNet Agent for FreeRADIUS is delivered in a bucket (Docker) container.

  • SafeNet Agent for NPS is for a Windows environment.

    If using the FreeRADIUS agent, see also block RADIUS authentication.

How to choose your integration option

1. If your RADIUS client supports PEAP, Thales recommends that you connect your RADIUS client directly to STA and use the RADIUS PEAP protocol.

2. If your RADIUS client does not support PEAP:

   • First check whether your application supports SAML or OIDC. If yes, Thales recommends that you integrate your application with SAML or OIDC instead of RADIUS. Use the SAML and OIDC application templates or the generic template for SAML and OIDC.

   • If your application does not support SAML or OIDC, choose one of the agent-based deployment options:

     • For agent deployment in a Windows Server environment: Use SafeNet Agent for NPS.

     • For agent deployment in a Docker container environment: Use SafeNet Agent for FreeRADIUS.