IP Security For Broadcasters: Part 8 - RADIUS Network Access

Maintaining controlled access is critical for any secure network, especially when working with high-value media in broadcast environments.


All 12 articles in this series are available in our free 82 page eBook ‘IP Security For Broadcasters’ – download it HERE.

Articles in this series:


In small networks, consisting of just a few servers or desktops, management authentication systems are often a bit of an overkill. However, as the number of devices increases, a centralized approach to authentication is a necessity.

Broadcast facilities have two principal security challenges: they must protect high-value media assets and they often attract unwelcome attention from political dissidents looking for an outlet to disseminate their propaganda. The potential for either of these occurring increases massively when the broadcaster provides remote access for their users.

Accelerating Remote Operations

Lockdown has not only demonstrated the need for user remote access but has also accelerated its use. This has the potential to compromise the broadcast network if adequate security measures are not installed.

Remote Authentication Dial-In User Service (RADIUS) was first developed in the 1990s and is widely used in the IT industry. It has stood the test of time and provides potent additional security for networks and VPNs through the triple-A approach, that is Authentication, Authorization, and Accounting.

Before a user can access a broadcaster’s network, they first need to state who they are. RADIUS is a server-side software application that provides a centralized repository of usernames and passwords with which the user can be validated. Furthermore, RADIUS facilitates extra measures such as secret keys and two-factor-authentication to improve security.

Centralized User Validation

Keeping a centralized database of user credentials makes management of the whole network and its associated servers, desktop computers, printers, and other IT devices much easier to administer. It is possible to write scripts to automatically update devices with all the user credentials and broadcast them into the network for download by each device, but this methodology is fraught with potential security breaches, especially if a server is switched off at the time of the update. And that’s before we start thinking about protecting passwords through encryption. By providing a central resource for user validation, users can be added or removed from the system quickly, efficiently, and securely.

Associated with each user credential entry, RADIUS keeps a copy of user rights, that is a list of who has access to which resource. It might be that one group of operators only needs read access to a transcoding server to monitor its progress, but higher privileged users may need write access to change certain parameters within the transcoder configuration.

Security isn’t just about stopping theft of data but also maintaining its integrity. In a typical broadcast operation, the transcoder configuration will only need to be changed occasionally by users who are experienced in advanced video processing, so keeping a restricted access to the server will help improve data integrity and hence security.

Activity Logging

One of the most powerful aspects of RADIUS is its accounting facility as it’s able to log user access and activity. This is particularly useful when a broadcaster frequently stores high-value media that it intends to broadcast but doesn’t own. There are often rights holder contract clauses that specify forensic audit trails to be maintained by the broadcaster. They must know where the media is stored, who has (had) access to it and when. RADIUS has the potential to provide this level of forensic audit.

In modern scalable broadcast infrastructures, knowing who is using a resource and how often provides the ability to optimize system use. A myriad of monitoring and usage data is available with RADIUS so that deep network and resource analysis can be achieved, and greater optimization and efficiencies of the whole broadcast system gained.

Although RADIUS provides the authentication, authorization, and accounting, at some point, users must have physical access the network, and two methods are generally available: ethernet cable and WiFi.

Network Ringfence

To maintain the highest levels of security, users must be validated before gaining access to the network. To achieve this with ethernet connectivity, users will physically connect to a Network Access Control (NAC) point that ring fences the broadcaster’s network. This is analogous to somebody knocking on your front door and you looking through the viewing hole before you unlock the door and let them in.

The NAC liaises with the RADIUS server to authenticate the user’s credentials and if RADIUS can validate the user, then the NAC will allow access to the network. An airgap within the NAC separates the user’s device from the network, often using two physical network interface cards (NICs), one connected to the user network and the other to the broadcast network.

When RADIUS was first developed in the 1990s dial-up connections were the dominant method of remote connectivity, but as technology has developed, the ethernet access point has moved from a NAC server to specialized ethernet switches to provide the authentication negotiation and the physical airgap. This switch will also be connected to the internet access point so that when a user logs into the broadcaster’s network through the internet, the authentication switch communicates with the RADIUS server to provide the necessary authentication. 

Fig 1 – When the laptop moves from Access Point AP1 to AP2 the session authenticated in the ethernet switch with the RADIUS server is maintained so the user doesn’t have to log into the network again. Also, through the RADIUS configuration, the system administrator can allow the user to access just the internet if they are a guest, or have access to the broadcast network if they are an employee.

Fig 1 – When the laptop moves from Access Point AP1 to AP2 the session authenticated in the ethernet switch with the RADIUS server is maintained so the user doesn’t have to log into the network again. Also, through the RADIUS configuration, the system administrator can allow the user to access just the internet if they are a guest, or have access to the broadcast network if they are an employee.

Securing WiFi

A similar system exists for WiFi using the IEEE 802.1x protocol. This is a secure method of authentication using wireless access points (AP) connected to the authenticating switch. The APs are WiFi nodes that a user can access from their mobile device. When a user tries to log on to the network, the AP sends secure messages to the authentication switch using the Extensible Authentication Protocol (EAP), which in turn liaises with the RADIUS server to determine whether the user should be granted access.

EAP is particularly powerful as it provides a method of sending secure messages encapsulating the username and password credentials over a wired or wireless network. Using EAP to connect to the RADIUS server via the authentication switch provides a convenient method for roaming. If all the APs are connected to the same authentication switch, then a session can be created for the user once they’ve authenticated against the RADIUS server. As the user moves between APs, they are still authenticated so there is no need to keep logging in.

Using RADIUS in this manner allows system administrators to decide who has access to the network and how. For example, a guest visiting the broadcast facility may only need internet access. Using the authentication system, the administrator can configure a special guest user account to only have access to the internet. This saves the need to keep reissuing user credentials for every guest that enters the building. And using the accounting facility, system administrators can monitor access. So if somebody is maliciously using the internet from an adjacent building, then the excessive usage will be detected, and the device can be blocked by disabling the access of its unique MAC address.

RADIUS has the potential to provide multiple types of user access to a broadcaster’s network including WiFi and ethernet. And combined with APs using IEEE 802.1x the user experience can be greatly improved through roaming while maintaining flexible security and system monitoring.

Part of a series supported by

You might also like...

HDR & WCG For Broadcast: Part 3 - Achieving Simultaneous HDR-SDR Workflows

Welcome to Part 3 of ‘HDR & WCG For Broadcast’ - a major 10 article exploration of the science and practical applications of all aspects of High Dynamic Range and Wide Color Gamut for broadcast production. Part 3 discusses the creative challenges of HDR…

IP Security For Broadcasters: Part 4 - MACsec Explained

IPsec and VPN provide much improved security over untrusted networks such as the internet. However, security may need to improve within a local area network, and to achieve this we have MACsec in our arsenal of security solutions.

Standards: Part 23 - Media Types Vs MIME Types

Media Types describe the container and content format when delivering media over a network. Historically they were described as MIME Types.

Building Software Defined Infrastructure: Part 1 - System Topologies

Welcome to Part 1 of Building Software Defined Infrastructure - a new multi-part content collection from Tony Orme. This series is for broadcast engineering & IT teams seeking to deepen their technical understanding of the microservices based IT technologies that are…

IP Security For Broadcasters: Part 3 - IPsec Explained

One of the great advantages of the internet is that it relies on open standards that promote routing of IP packets between multiple networks. But this provides many challenges when considering security. The good news is that we have solutions…