In part one of this two-part tip on wireless authentication, we discussed some of the risks associated with pre-shared keys and alternatives to that authentication method such as 802.1X port access
Enterprise-grade RADIUS servers can be prohibitively expensive for the midmarket. But smaller organizations looking for commercial software can still purchase RADIUS for less than $1,000 -- for example, the wizard-driven Elektron RADIUS server for Windows XP and Mac OS ($750).
Alternatively, consider turning a Microsoft Windows Server into a RADIUS server for your WLAN. For example, a PC running Windows Server 2003 can be configured to run Microsoft's Internet Authentication Server (IAS). Instructions for setting up IAS and using it to support 802.1X can be found on Microsoft's TechNet site here. For Windows Server 2008, Microsoft replaced IAS with its new Network Policy Server (NPS). These Microsoft solutions can be attractive to Windows administrators who are already comfortable and experienced with running Microsoft servers.
Administrators who prefer working with UNIX have several open source alternatives. The most well-known is FreeRADIUS, a popular server for use on many 32- and 64-bit platforms, including Cygwin, FreeBSD, RedHat, SUSE, Ubuntu, and Mac OS X. Instructions on how to build FreeRADIUS from open source are available online here; binaries are also available for some platforms. Once your FreeRADIUS server has been installed, tips on using it for wireless authentication can be found in this FreeRADIUS WPA Wiki.
But installing a RADIUS server is just the first step. You will need to configure that server with a certificate, a list of RADIUS clients (APs), and user access policies. You may store user accounts on the RADIUS server, but most businesses prefer to interface their servers with existing user databases like Active Directory. Doing so lets you reuse Windows domain account logins and passwords for wireless access, reducing total cost of operation. However, initial user database integration can be tricky and time-consuming.
Finally, it's crucial to consider server availability. Deploying 802.1X with a one central RADIUS server creates a single point of failure. Businesses that find that unacceptable must deploy at least two servers and decide how to implement failover. For example, if APs are configured to send wireless access requests to a single server IP, the backup server will need the ability to assume the primary server's address. Remote office WLANs may also require their own RADIUS server to survive WAN link outages.
Let Someone Else Do RADIUS for You
If establishing production-grade RADIUS infrastructure sounds like too much work, another option is to outsource wireless authentication.
There are many "Managed Authentication" services aimed at large businesses with relatively sophisticated needs. For example, Managed Remote Access VPN services can often be paired with services that help businesses issue user certificates, smart cards, or hardware tokens. However, such services are not typically designed to enable WLAN authentication -- they are more about providing support for identity lifecycle management.
Midmarket companies that simply want 802.1X PEAP / MS-CHAPv2 authentication can turn to a commercial service like BoxedWireless authentication and Witopia SecureMyWiFi, or even the free WiFiRadis service. Such "Managed 802.1X" services provide a Web interface to enroll RADIUS clients (APs) and create user accounts (IDs and passwords). APs are then configured to relay WLAN access requests across the Internet to the provider's RADIUS server(s). The provider assumes responsibility for RADIUS installation, maintenance, and availability. In return, you pay a recurring fee --SecureMyWiFi starts at $99 per year, depending on number of APs, while BoxedWireless starts at $186 per year, depending on number of users.
You will be limited in the type of user credentials and how they are issued, and you will of course need to trust the service provider. Robust, secure Internet connectivity for all APs will clearly be essential, to ensure they can always reach the provider's RADIUS server. As your WLAN size and experience with 802.1X grows, you may end up bringing RADIUS back in-house. But outsourcing RADIUS authentication can be a quick and easy way to get started with 802.1X on a modest scale.
One final option to consider is using AP or controller-based RADIUS authentication servers. For example, the Motorola Symbol AP-5131 and Aerohive 300 series HiveAP have on-board RADIUS servers that can be used to configure user accounts directly into the AP itself. This makes it possible to use 802.1X port access control without requiring the AP to consult a central RADIUS server.
This approach has clear limitations. For example, if you fail to configure the same user accounts and passwords into every AP, users may successfully log on in one location but fail in another and passwords updates become challenging. However, this may be a worthwhile trade-off between 802.1X benefits and complexity in small office and remote WLANs -- especially those covered by a single AP or controller.
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.
This was first published in March 2009