Simplify Wi-Fi / BYOD Access Security and Cut Costs Cloudessa RADIUS is a cloud service that runs on Amazon

Web Services and lets you securely authenticate and control network access for all your users and devices, without the cost and complexity of an on-premises RADIUS deployment. (Rather run RADIUS on a virtual machine? Check out the Cloudessa RADIUS Virtual Appliance.) Cloudessa RADIUS provides the following functionality: Control and Manage all Network Access in the Cloud Centrally manage all WiFi, BYOD, and remote VPN access to your network simplifying management and security, while maintaining full control of your critical data Save time and money by leveraging Cloudessa RADIUSs shared multi-tenant infrastructure focus on your business without the cost and complexity of owning and maintaining a RADIUS infrastructure No hardware or software to install Based on FreeRADIUS, a market-tested RADIUS server deployed on thousands of networks around the globe Securely Authenticate All WiFi Users Against Your Existing Credential Stores Cloudessa RADIUS: Works with native, enterprise, and cloud-based user stores, for seamless integration into your existing network infrastructure. With Cloudessa RADIUS, you can authenticate WiFi, BYOD, and remote VPN users against a native user data store, existing enterprise user stores such as Active Directory, LDAP, or SQL databases such as Oracle and MySQL, and against new cloud user stores such as Google Apps. Supports industry-standard 802.1X authentication protocols, for the strongest credential security. Use EAP protocols such as TTLS, PEAP, LEAP, and MS-CHAPv2 for user logins, or use non-EAP protocols such as PAP for device authentication. Ensures data security via WPA2-Enterprise and US-government-compliant cryptography. Cloudessa RADIUS ensures data security over the WLAN through the use of WPA2-Enterprise encryption protocol. And, Cloudessa RADIUS performs all cryptographic operations using a FIPS-validated cryptographic module, utilizing FIPS 140-2 Approved cryptographic algorithms and key management. Enable Two-Factor Authentication For Even More Protection Cloudessa RADIUS supports the use of the Google Authenticator app for iPhone, Blackberry, Android, and Windows for Two-Factor and Time Based One Time Password (TOTP) authentication, allowing these devices to connect securely to the network. Cloudessa RADIUS two-factor authentication works instantly with all password-based authentication protocols and requires no change to existing Network Access Servers or RADIUS clients. Centrally Manage All Access Security, Even On Multi-Vendor Networks With Cloudessa RADIUS, you can effortlessly integrate RADIUS-enabled products from multiple vendors.

Cloudessa RADIUS works with any RADIUS-compatible network access gateway, including Wi-Fi Access Points (APs), VPNs, Firewalls, or Remote Access Servers from Cisco, Meraki, Aruba, Ruckus, Juniper, and other leading vendors. And, Cloudessa RADIUS supports each vendors custom RADIUS attributes, to ensure access to the full range of features your gateways offer. License Only the Services and Capabilities You Require; Scale Easily As Your Needs Change Powered by the Amazon EC2 computing platform, Cloudessa provides highly available and redundant authentication power on demand. Cloudessa RADIUS easily scales from servicing the needs of a small business or branch office, up to the high-performance needs of the most demanding enterprise, hotspot or service provider network. Cloudessa RADIUS virtualizes the notion of a RADIUS server. Authentication requests are loadbalanced across a cluster of RADIUS servers, and youll be able to create a virtual RADIUS server in a single click to quickly respond to the needs of your organization. Use virtual RADIUS server instances to improve logical separation of services and security in your enterprise. Our transparent SaaS licensing model allows you to subscribe or license only the services and capabilities you actually require. (Click here for pricing/licensing information.) Easily Configure and Administer Via Web Interface Use the simple, modern HTML5 browser interface to configure and monitor Cloudessa RADIUS. Our wizards will guide you through the configuration of users, groups, NAS clients, and virtual RADIUS servers to quickly make your service operational. Configure the levels of service appropriate for your network. Configure secure 802.1X-based employee access; and, easily manage network access rights for your visitors, contractors and customers. Track and understand network activity with system logging and reporting. Cloudessa RADIUS provides administrative level reports documenting all network activity, and makes it easy to export usage data as CSV log files that are compatible with external reporting and billing applications. Logs of all administrative access and action are also created. Standards-based, for ensured security and compatibility. Cloudessa RADIUS is compliant with IETF RADIUS RFCs. Conserve resources with IP address management capabilities. Cloudessa RADIUS supports static IP address assignment and the ability to create and dynamically assign IP addresses from a pool. Support To ensure the successful deployment of Cloudessa RADIUS, we make available on-line, email, and phone support resources and options. Our Technical Staff and our Partners are available to assist you as you configure and deploy Cloudessa RADIUS.

Centralized WiFi and BYOD Access Security at a Low Cost

Driven by mobile and BYOD, the scale, complexity, and importance of enterprise WiFi networks is increasing dramatically. A well-architected, multifaceted access security infrastructure is an essential element of every enterprise WiFi deployment. This infrastructure typically must support the following functions: Authentication, to ensure that only authorized users gain access to the network User and device authorization, to configure the appropriate level of access and security for network clients Security, to prevent attacks on user credentials and data In addition, these new WiFi requirements should ideally integrate into the networks existing access management systems and architecture, to ensure administrative simplicity.

Authentication Requirements
Enterprise scale WiFi deployments demand an authentication infrastructure capable of handling requests from a large number of users, accessing the network from geographically distributed locations, with different credentials, access rights, and security requirements, and via access gateways from a variety of vendors.

User and Device Authorization Requirements

In addition to a robust authentication infrastructure, enterprise WiFi networks typically must support different access levels, according to who (or what) is connecting. Employees, guests, and even IP-enabled devices must be able to gain access to the network, but each necessarily has different security requirements and access rights.

Security Requirements
Best practices for WiFi access to enterprise LAN applications mandate the use of WPA2 Enterprise and 802.1X-based security; in addition, WPA2 and 802.1X are considered essential for securing WiFi access in healthcare (HIPAA), financial services (SOX), and other regulated environments. Captive Portal with Sign-on Splash is often used to enable guest and customer access to networks.

Cloudessa RADIUS
With its ability to centrally manage user authentication, authorization, and accounting, a RADIUS server is an integral component of an enterprise WiFi network. Cloudessa RADIUS is uniquely capable of handling the security and manageability requirements on these networks, for the following reasons: It supports industry-standard WiFi security, as well as lower-security guest access Cloudessa RADIUS provides full support for the 802.1X security protocols that ensure authentication and session security, as well as captive portal solutions that permit customers or guests to access a restricted area of the network with less strong security requirements. Its simple to administer Cloudessa RADIUS is a multi-vendor RADIUS solution that supports your existing network access gateways. In addition, it authenticates WiFi users against the user data stores already in place on your network, including Active Directory, LDAP, SQL or Google user stores - with no manual re-entry of data required. Its available as a public cloud service, or for installation on a virtual machine. Use or deploy Cloudessa RADIUS in the way that makes sense on your network:

Use the hosted Cloudessa RADIUS service in the public cloud, where you can take advantage of a shared multi-tenant infrastructure. You enjoy the cost savings and management simplicity of RADIUS-as-a-Service, while critical user data stays under your control. Deploy Cloudessa RADIUS as a Virtual Appliance running on a distributed basis in a Private Cloud, Enterprise Data Center, or individual or regional locations. For enterprises who wish to keep RADIUS completely on-site and control service availability, this provides a cost-effective, WiFi-appropriate alternative to legacy RADIUS servers. Its built on the market-proven FreeRADIUS code base - Cloudessa RADIUS is a time-tested RADIUS solution, based on code that is already deployed on thousands of servers around the world. Its not just for WiFi - Cloudessa RADIUS is capable of authentication access requests not only from WiFi access points and gateways, but also VPNs, firewalls, and other access gateways. Use it to manage and secure all access to your network. The following diagrams illustrate how Cloudessa RADIUS integrates into a typical WiFi network infrastructure.

REFERENCE ARCHITECTURE: Enterprise WiFi with WPA2 /

802.1x Security

This diagram illustrates how a multi-location enterprise can leverage the Cloudessa RADIUS service in the public cloud to authenticate and authorize WiFi users and devices via WPA2Enterprise and 802.1X.

1. 1. WiFi users connect to their local WiFi network via an 802.1X client; credential security during the exchange is protected by the use of EAP-TTLS or EAP-PEAP. 2. 2. The WiFi access point (or other network gateway) communicates with Cloudessa RADIUS in the public cloud to determine whether the user is authorized to connect and, if so, how to configure the connection. 3. 3. Cloudessa RADIUS authenticates the WiFi user against the enterprises existing user name and password database - for example, Active Directory, LDAP, or SQL - located in the enterprise data center; authentication against the Google Apps cloud-based user store, [and a native database] is also supported. 4. 4. If Cloudessa RADIUS determines the user is authorized to connect, it configures the appropriate level of access for the user. 5. 5. Once authenticated onto the network with appropriate access level, WiFi users data security is protected by WPA2-Enterprise.

REFERENCE ARCHITECTURE: Multi-homed Enterprise WiFi,

secured via Cloudessa RADIUS Service

This diagram illustrates how an Enterprise can use Cloudessa RADIUS to enforce the configured security protocol according to which SSID a user or device associates with. Each WiFi access point is configured with multiple SSIDs, with each SSID having its own set of authorized users and devices, and mandated level of access security. This allows enterprises to segregate employee, operational, and customer / guest access. 1. 1. Users (typically employees) who connect using the strong security of 802.1X plus EAP-TTLS or EAP-PEAP, are authenticated against the enterprise user data store, and are able to access the full range of network services and applications. (See above diagram for specifics.)

2. 2. Customers or guests would typically connect via a captive portal solution. o a. The captive portal solution communicates with Cloudessa RADIUS to determine if the user is authorized to connect. o b. Once authenticated, the captive portal web server grants access to a limited number of services and applications available to guest network users. 3. 3. IP-enabled devices would typically connect via PAP, and be authenticated against a LDAP or SQL database.