A network access server (NAS) allows and manages network access to remote resources. Also known as a media access gateway or remote access server, a NAS centrally manages connected users, and gives them access to a broader external network of resources, like the internet.
There are a number of functions for network access servers, from connecting directly to the internet through to using internet supported services for direct communication.
One of the major functions of a NAS is to serve as the gateway to protected remote resources. As such, most are servers that enable ISPs to give their customers access to the internet.
ISPs that supply internet access via modem-like devices such as cable or DSL use NAS devices that accept Point-to-Point Protocol, Point-to-Point Tunneling Protocol, or Point-to-Point Protocol over Ethernet connections for authentication purposes, while leveraging Remote Authentication Dial-In User Service (RADIUS)—the most widely used authentication, authorization, and accounting server—in the back end.
To connect users to the internet, a NAS interfaces with both local telecommunication service providers and the internet backbone and helps authenticate users. It receives dial-up calls from users’ host devices, goes through the necessary protocols, and authenticates and authorizes users—usually by verifying their username, password, or other required login factor. Once a user’s credentials have been validated, it allows the flow of requests from the host device to other addresses on the internet.
On top of their role as remote access gateways, a NAS can be configured to provide a host of other services like VoIP and web conferencing. In the case of VoIP, the NAS will use credentials such as IP addresses or phone numbers to authenticate users rather than individual usernames and passwords. If the phone number belongs to a valid, active customer—and has specific properties such as minutes left or long distance access—the NAS will allow the call to be completed.
A NAS can also support network management and optimization processes such as load balancing, network resource management, and user sessions.
In enterprise environments, a wireless access point or network switch can act as an NAS device to ensure that the corporate network is only accessed by authorized users. On the other hand, carriers may use digital subscriber line access multiplexers (DSLAM) or asymmetric digital subscriber line (ADSL) terminators as NAS devices for authenticating users and generating usage information for billing purposes.
Virtual private network (VPN) connections give remote users access to a private network. In enterprise settings, VPNs allow employees to securely connect to the business’ network and access the resources they need, regardless of their location. This is particularly useful for companies that have flexible workplace policies or a mobile workforce.
A VPN typically consists of two components: a NAS, combined with client software. Within that structure, the NAS authenticates employees as they connect to the VPN via the internet.
How Okta RADIUS Server Agent can help
The rapidly evolving security landscape has rendered servers and networks particularly vulnerable to hackers. Due to their sensitive nature and their high level of privileges, server credentials are frequent targets of exploits. This is where RADIUS can help by providing authentication and authorization functionality.
To ensure network security, enterprises can leverage the Okta RADIUS Server Agent to support authentication for VPN devices and virtual desktops, and reverse proxies that don’t support Security Assertion Markup Language (SAML). The Okta RADIUS Server Agent installs as a Windows service and uses Multi-Factor Authentication (MFA) to delegate authentication to Okta. It defaults to port 1812 and currently supports UDP and the Password Authentication Protocol (PAP). In this way, organizations can rest assured that their VPN connections are secure and their data remains protected.