Category: RADIUS

Using SSO Single Sign-On for Enhanced Security and Convenience

Employee using SSO single sign-on on BYOD device for secure access to business apps, reducing password risks and enhancing convenience
SSO for BYOD provides secure, convenient single sign-on access across apps on personal devices for small business teams.

Individuals and organizations rely heavily on various online platforms and services, the need for a secure and convenient way to access these resources is paramount. This is where SSO Single Sign-On comes into play. SSO Single Sign-On is a powerful authentication method that allows users to securely sign in to multiple applications and platforms using just one set of credentials. In this article, we will explore the benefits of SSO Single Sign-On, its implementation, and how it enhances security while streamlining the user experience.


Understanding SSO Single Sign-On

What is SSO Single Sign-On?  SSO Single Sign-On is an authentication process that enables users to access multiple applications and platforms using a single set of login credentials. With SSO Single Sign-On, users only need to remember one username and password, eliminating the hassle of managing multiple credentials for different services. This not only saves time but also enhances convenience for users.

How does SSO Single Sign-On work? SSO Single Sign-On works by establishing a trust relationship between an identity provider (IdP) and the various service providers (SPs). When a user attempts to access a service, the IdP verifies the user’s identity and provides a token to the SP, which grants the user access without requiring additional authentication. This seamless process simplifies the login experience and eliminates the need for users to repeatedly enter their credentials.

Benefits of SSO Single Sign-On

Enhanced Security: One of the key advantages of SSO Single Sign-On is its ability to enhance security. By consolidating login credentials into a single set, users are less likely to resort to weak passwords or reuse passwords across multiple platforms. This reduces the risk of password-related security breaches. Additionally, SSO Single Sign-On allows for stronger authentication methods, such as two-factor authentication, further bolstering security without requiring multiple accounts.

Streamlined User Experience: With SSO Single Sign-On, users no longer have to remember and enter multiple sets of login credentials. This significantly reduces the login friction and streamlines the user experience. Users can seamlessly navigate between different applications and platforms without the need for repetitive logins. This convenience not only saves time but also improves productivity.

Centralized Access Management: SSO Single Sign-On provides organizations with centralized access management capabilities. Administrators can easily control user access to various applications and platforms from a centralized dashboard. This simplifies user provisioning and deprovisioning, ensuring that employees have timely access to the resources they need while maintaining security and compliance.

Cost and Time Savings: Implementing SSO Single Sign-On can lead to cost and time savings for organizations. By reducing the number of password-related support requests, IT teams can focus on more strategic initiatives. Additionally, the streamlined login experience reduces the time spent by employees on authentication, leading to increased productivity and efficiency.

Implementing SSO Single Sign-On

To implement SSO Single Sign-On, organizations need to follow a few key steps:

  1. Evaluate SSO Solutions: Begin by evaluating various SSO solutions available in the market. Consider factors such as compatibility with existing systems, scalability, security features, and ease of integration.
  2. Choose an Identity Provider: Select an identity provider that aligns with your organization’s requirements. The identity provider will be responsible for authenticating users and issuing tokens for accessing service providers. Office 365 and Google Workspace are usually the best, most prolific IdP sources to use. 
  3. Configure Service Providers: Configure the service providers that you want to integrate with SSO Single Sign-On. This involves establishing trust relationships between the identity provider and the service providers.
  4. User Provisioning and Deprovisioning: Implement a user provisioning and deprovisioning process to ensure that users have the necessary access to the applications and platforms they require. This process should be integrated with the SSO Single Sign-On solution to maintain centralized access management.
  5. Test and Monitor: Thoroughly test the SSO Single Sign-On implementation to ensure its functionality and security. Regularly monitor the system to identify and address any potential issues or vulnerabilities.

Best Practices for SSO Single Sign-On Implementation

When implementing SSO Single Sign-On, it is essential to follow best practices to maximize security and usability:

  • Strong Authentication: Implement strong authentication methods such as two-factor authentication or biometric authentication to enhance security.
  • Regular Auditing: Conduct regular audits of user access rights and permissions to ensure compliance and detect any unauthorized access.
  • User Education: Educate users about the benefits of SSO Single Sign-On and best practices for password management to promote secure behavior.
  • Continuous Monitoring: Implement a robust monitoring system to detect and respond to any suspicious activities or potential security threats.
  • Regular Updates: Keep the SSO Single Sign-On solution and all integrated applications up to date with the latest security patches and updates.

Remember, security should never be compromised, and SSO Single Sign-On provides a robust solution to protect user identities and streamline access to applications and platforms. Embrace the power of SSO Single Sign-On and enjoy the benefits of enhanced security and convenience.

Setup of Synology RADIUS server for EAP Authentication

Synology DSM interface showing RADIUS server configuration for EAP-PEAP authentication with certificate paths
Configure Synology RADIUS for secure EAP enterprise WiFi authentication

This is the eighth and final of a series that documents the Tier 3 / Co-Managed IT work we did to setup a wireless test bed for a Linux based scientific device. The testing environment included two different wireless network hardware types (Ubiquiti and Cisco). There was also a Synology device used for various purposes including hosting the Ubiquiti controller inside a Kubernetes container, providing certificate services, providing LDAP authentication, and providing RADIUS authentication. Each article has detailed a separate piece of the project. This article shows the setup of Synology RADIUS server for EAP authentication via EAP-PEAP, EAP-TLS, and EAP-TTLS.

Setup Synology Radius for EAP-PEAP

  1. Login to Synology IP via SSH
  2. Use admin login credentials
  3. Go to the Radius certificate directory
    cd /var/packages/RadiusServer/target/etc/raddb/certs/
  4. Radius must be configured on our certificates:
    sudo vi ../mods-enabled/eap
  5. Type i to start insert then paste the following:
    eap {
        default_eap_type = peap
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}

        #md5 {
        #}

        #leap {
        #}

        #gtc {
        #   auth_type = PAP
        #}

        tls-config tls-common {
            #private_key_password = whatever
            private_key_file = ${certdir}/server.key
            certificate_file = ${certdir}/server.crt
            #$INCLUDE /usr/local/synoradius/rad_ca_cert
            dh_file = ${certdir}/dh
            random_file = ${certdir}/random
            ca_file = ${certdir}/ca.crt
            ca_path = ${certdir}
            #INCLUDE /var/packages/RadiusServer/target/etc/cipher_list
            verify {
            }
        }

        #tls {
        #   tls = tls-common
        #}

        #ttls {
        #   tls = tls-common
        #   default_eap_type = mschapv2
        #   copy_request_to_tunnel = no
        #   use_tunneled_reply = no
        #   virtual_server = "inner-tunnel"
        #}

        peap {
           tls = tls-common
           default_eap_type = mschapv2
           copy_request_to_tunnel = yes
           use_tunneled_reply = yes
           virtual_server = "inner-tunnel"
        }

        #mschapv2 {
        #}
    }
  1. Hit ESC to end insert then type :wq to exit
  2. The radius service must be restarted in the Synology Package Center (Stop / Run)

Setup Synology Radius for EAP-TLS

  1. Login to Synology IP via SSH
  2. Use admin login credentials
  3. Go to the Radius certificate directory
    cd /var/packages/RadiusServer/target/etc/raddb/certs/
  4. Radius must be configured on our certificates:
    sudo vi ../mods-enabled/eap
  5. Type i to start insert then paste the following:
       eap {
        default_eap_type = tls
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}

        #md5 {
        #}

        #leap {
        #}

        #gtc {
        #   auth_type = PAP
        #}

        tls-config tls-common {
            #private_key_password = whatever
            private_key_file = ${certdir}/server.key.pem
            certificate_file = ${certdir}/server.crt.pem
            #$INCLUDE /usr/local/synoradius/rad_ca_cert
            dh_file = ${certdir}/dh
            random_file = ${certdir}/random
            ca_file = ${certdir}/ca.crt.pem
            ca_path = ${certdir}
            #INCLUDE /var/packages/RadiusServer/target/etc/cipher_list
            verify {
            }
        }

        tls {
            tls = tls-common
        }

        #ttls {
        #   tls = tls-common
        #   default_eap_type = mschapv2
        #   copy_request_to_tunnel = no
        #   use_tunneled_reply = no
        #   virtual_server = "inner-tunnel"
        #}

        #peap {
        #   tls = tls-common
        #   default_eap_type = mschapv2
        #   copy_request_to_tunnel = no
        #   use_tunneled_reply = no
        #   virtual_server = "inner-tunnel"
        #}

        #mschapv2 {
        #}
    }
  1. Hit ESC to end insert then type :wq to exit
  2. The radius service must be restarted in the Synology Package Center (Stop / Run)

Setup Synology Radius for EAP-TTLS

  1. Login to Synology IP via SSH
  2. Use admin login credentials
  3. Go to the Radius certificate directory
    cd /var/packages/RadiusServer/target/etc/raddb/certs/
  4. Radius must be configured on our certificates:
    sudo vi ../mods-enabled/eap
  5. Type i to start insert then paste the following:
     eap {
        default_eap_type = ttls
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = ${max_requests}

        #md5 {
        #}

        #leap {
        #}

        #gtc {
        #   auth_type = PAP
        #}

        tls-config tls-common {
            #private_key_password = whatever
            private_key_file = ${certdir}/server.key
            certificate_file = ${certdir}/server.crt
            #$INCLUDE /usr/local/synoradius/rad_ca_cert
            dh_file = ${certdir}/dh
            random_file = ${certdir}/random
            ca_file = ${certdir}/ca.crt
            ca_path = ${certdir}
            #INCLUDE /var/packages/RadiusServer/target/etc/cipher_list
            verify {
            }
        }

        #tls {
        #    tls = tls-common
        #}

        ttls {
           tls = tls-common
           default_eap_type = mschapv2
           copy_request_to_tunnel = no
           use_tunneled_reply = no
           virtual_server = "inner-tunnel"
        }

        #peap {
        #   tls = tls-common
        #   default_eap_type = mschapv2
        #   copy_request_to_tunnel = yes
        #   use_tunneled_reply = yes
        #   virtual_server = "inner-tunnel"
        #}

        #mschapv2 {
        #}
    }
  1. Hit ESC to end insert then type :wq to exit
  2. The radius service must be restarted in the Synology Package Center (Stop / Run)

If your company has highly customized setup requirements that you need consulting for, then contact us for assistance.

Setup Ubiquiti Wireless Network with PSK & RADIUS

This is the seventh in a series that document the Tier 3 / Co-Managed IT work we did to setup a wireless test bed for a Linux based scientific device. The testing environment included two different wireless network hardware types (Ubiquiti and Cisco). There was also a Synology device used for various purposes including hosting the Ubiquiti controller inside a Kubernetes container, providing certificate services, providing LDAP authentication, and providing RADIUS authentication. Each article will detail a separate piece of the project. This article shows the basic setup of Ubiquiti Controller for PSK and RADIUS authentication from wireless devices.

Setup Ubiquiti Wireless Network with PSK

  1. Login to Ubiquiti controller previously created – Here
  2. Click on Setting gear icon at bottom left
  3. Make sure you are on Wifi tab and click Create New link
    • Set network BSSID
    • Create Password
    • Click Add Wifi Network button
UniFi Network controller WiFi settings screen configuring WPA Enterprise RADIUS profile PPSK security VLAN assignment for hybrid authentication
UniFi SSID advanced security settings with RADIUS profile and PPSK configuration.

Setup Ubiquiti Wireless Network with RADIUS

  1. Login to Ubiquiti controller previously created – Here
  2. Click on Setting gear icon at bottom left
    • Click on Profiles
    • Click on Radius Tab
    • Click on Create New link
    • Give the Profile a name
    • Enter RADIUS server IP address as Authentication Server
    • Enter RADIUS shared secret
    • Click Add
    • Click Apply Changes
  3. Click on Wifi Tab
  4. Click on Create New link
  5. Set network BSSID
  6. Change Advanced to Manual
  7. Set Security Protocol – WPA2 Enterprise
  8. Select new RADIUS Profile
  9. Click Add Wifi Network

If your company has highly customized setup requirements that you need consulting for, then contact us for assistance.

Setup Cisco Wireless Network with PSK & RADIUS

Cisco Wireless Controller WLAN advanced settings screen configuring WPA2 PSK with RADIUS authentication MAC filtering and AAA servers
Cisco WLC WLAN configuration enabling PSK with RADIUS backend authentication.

This is the sixth in a series that document the Tier 3 / Co-Managed IT work we did to setup a wireless test bed for a Linux based scientific device. The testing environment included two different wireless network hardware types (Ubiquiti and Cisco). There was also a Synology device used for various purposes including hosting the Ubiquiti controller inside a Kubernetes container, providing certificate services, providing LDAP authentication, and providing RADIUS authentication. Each article will detail a separate piece of the project. This article shows the basic setup of Cisco Wireless Controller for PSK and RADIUS authentication from wireless devices.

Setup Cisco Wireless Network with PSK

  1. Login to Cisco Wireless Controller
  2. Click on WLANs tab at top
  3. Click on GO next to Create New drop down
  4. Create Profile Name & SSID
  5. Click Apply
  6. Click Enabled next to Status
  7. Click Apply
  8. Click on Security tab
  9. Uncheck 802.1x
  10. Check PSK
  11. Enter Pre-Shared Key next to PSK format
  12. Click Apply
  13. Click Save Configuration at the top

Setup Cisco Wireless Network with RADIUS

  1. Log into Cisco Wireless Controller
  2. Click on Security tab at top
  3. Click on Authentication under RADIUS on left hand side
  4. Change both Acct Call Station ID Type to IP Address
  5. Click Apply
  6. Click on New
  7. Add RADIUS server IP address
  8. Add Shared Secret
  9. Uncheck management
  10. Click Apply
  11. Click on WLANs tab at top
  12. Edit WLAN 1
  13. Click on Security tab
  14. Click on AAA Servers tab
  15. Change Server 1 to the one entered on RADIUS Authentication page
  16. Click Apply
  17. Click on Layer 2 tab
  18. Change Authentication type to 802.11x
  19. Click Apply
  20. Click Save Configuration at the top

If your company has highly customized setup requirements that you need consulting for, then contact us for assistance.

Setup Synology RADIUS Server & Certificates

This is the fifth in a series that documents the Tier 3 / Co-Managed IT work we did to setup a wireless test bed for a Linux based scientific device. The testing environment included two different wireless network hardware types (Ubiquiti and Cisco). There was also a Synology device used for various purposes including hosting the Ubiquiti controller inside a Kubernetes container, providing certificate services, providing LDAP authentication, and providing RADIUS authentication. Each article will detail a separate piece of the project. This article shows the setup Synology RADIUS server & certificates.

Setup RADIUS Server

  1. Login to Synology
  2. Open Package Center
  3. Install RADIUS Server app
  4. Open RADIUS Server package
    • Uncheck local users
    • Check LDAP users
    • Click Apply
    • Click on Clients on left hand side
    • Click on Add
      • Create Name
      • Create Shared Secret
      • Enter IP address of Cisco WLAN controller
    • Click on Add
      • Create Name
      • Create Shared Secret
      • Enter IP address of Ubiquiti Controller

Configure RADIUS Certificates

  1. Open Control Panel
  2. Click on External Access
  3. Click on DDNS tab
  4. Click Add
    • Choose Synology as service provider
    • Add hostname
    • Click Test Connection
    • Synology DSM Control Panel Security tab assigning SSL certificate to RADIUS Server enabling secure EAP authentication with LDAPS
    • Click OK
  5. Click on Security on left hand side
  6. Click on the Certificate tab
  7. Click on Add
    • Add new certificate
    • Synology Add Certificate
    • Click Next
    • Create description
    • Get a certificate from Let’s Encrypt
    • Synology Add Certificate Lets Encrypt
    • Click Next
    • Add needed certificate information
    • Synology Add Certificate Lets Encrypt Info
    • Click Done
  8. Click Settings button and choose appropriate RADIUS server certificate

If your company has highly customized setup requirements that you need consulting for, then contact us for assistance.

Archives

Categories

Plant a Seed @ 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2026 - Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

Error: Contact form not found.

And God will generously provide all you need. Then you will always have everything you need and plenty left over to share with others. As the Scriptures say,
“They share freely and give generously to the poor. Their good deeds will be remembered forever.”
For God is the one who provides seed for the farmer and then bread to eat. In the same way, he will provide and increase your resources and then produce a great harvest of generosity in you. - 2 Corinthians 9:8-10