LDAP databases are most typically used by enterprises to store employee credentials, telephone numbers, etc. Some ISPs also use LDAP, but it's not as wide spread as the ISP use of SQL. The common implementations are Active Directory and OpenLDAP. We have extensive experience with both.
LDAP is used to not just authenticate users and authorize them, it can also be used to de-authorize users! All modern LDAP servers provide a database replication interface, and that interface is used by InkBridge RADIUS to detect changes to user profiles.
In most enterprises, an employee still has network access after they've been laid off. Why? Because they never had to prove that they were an employee in order to gain network access. So anyone can get onto your network, at any time.! (This is why you need a RADIUS server.)
In an ISP, a bad network design can require you to wait hours before any change of service is applied. Or, you have to manually reboot your modem. In the worst case, you lose access to the ISP support just when you're online with them!
When the RADIUS server uses LDAP, it can dynamically read changes from LDAP, and immediately apply those changes to the network. You now have 1Gbps service, instead of 200Mbps? No problem! The RADIUS server sends the network a "change of authorization" notice, and the new service is "live" immediately. Or, the employee John Smith is no longer with the company? Hmm... he still has a device on the network. Let's send the Access Point a disconnection message, and kick that device offline.
Adding a RADIUS server to your network won't require new business processes or policies. It will use your existing user information store. This re-use can help you upgrade your network from “open” and insecure, to authenticating all users and devices.
Network policies can be set for different groups of users (e.g. admin, sales, engineering). Network policies can also be set for different access methods (VPN, WiFi, wired Ethernet, etc). Our product gives you the flexibility to create the solution you want without extensive changes your existing systems. It can even do TACACS+ for administrator authentication to network devices.
So if you have LDAP (and most people do), RADIUS is an easy next step to securing your network.
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
Can you use FreeRADIUS and Active Directory together?
The short answer is Yes, FreeRADIUS and Active Directory are compatible with each other. However, there are some constraints and implications for the rest of the system. Like any technology choice, Active Directory has its advantages and disadvantages, as well as consequences for how other network components need to be set up.
How to connect FreeRADIUS to Active Directory for authentication
Active Directory is widely used in the enterprise and university systems. This article describes how to connect FreeRADIUS with Active Directory, allowing you to authenticate users against your existing directory service while leveraging the power of your RADIUS server for network access control.