The No-Hardware RADIUS Server

By Eric Griffith

October 08, 2003

Small and medium-sized businesses seeking advanced 802.1X authentication for their WLANs may not need to set up their own server, as a new hosted solution offers subscribers secured access.

Right now, standard WLAN security beyond Wi-Fi Protected Access (WPA) to keep out the riff-raff means going with 802.1X authentication. However, not every business wants to or is capable of installing the Remote Authentication Dial-In User Service (RADIUS) server needed to keep track of users and their log-ins. It can start out costly and get more complicated from there.

Wireless Security Corporation (WSC) to the rescue. The company -- what we used to call an "application service provider" but today is just providing a "hosted service" that you don't have to run on your own computers -- has launched a RADIUS/802.1X service for small to medium businesses (SMBs) called WSC Guard.

Using a subscriber-based business model -- averaging around $8 per user per month, but volume discounts can bring it down to $59 per user per year -- SMBs can sign up with WSC and create a master list of end-users allowed on their wireless network. The list is created entirely in a Web-based interface. After that, each end-user has to download a piece of client software (either direct from WSC or get the software from the network administrator who created the list) that configures the user's computer and Wi-Fi access card to work specifically with WPA-based 802.1X authentication (using PEAP). Next time users want on the WLAN, they are first checked via their Internet connection against the list of users on the WSC Guard hosted RADIUS server.

"We have a RADIUS infrastructure that's fully fault tolerant; we have a patent for doing RADIUS over the Internet -- that's part of our secret sauce," says Stu Elefant, vice president of marketing at WSC.

The WSC Guard software also sets up the access point hardware in the SMB location to be ready to work with WPA/802.1X.

Of course, the major limitation to this service is hardware compatibility. WPA is hardly universal in Wi-Fi products; 802.1X support is arguably even less so, at least in consumer-grade products likely to be found in some SMB networks. However, WSC counters by saying that even non-WPA clients can use the service with a lower level of security; for example, they could still visit a Wi-Fi hotspot.

Setting up guest access with time limits and selective access to network resources is supposed to be quite easy (and the log-on for guests is free). Elefant says the Web-based management interface is simple enough that anyone from the network admin down to the receptionist could enter a new username and password for limited use. The information is stored at the WSC Authentication Center, which in turn tracks failed logins, potential attacks and rogues, and provides regular status reports.

Failure of the Internet connection on the network would mean no access to the hosted RADIUS would go down, and that should mean no access for anyone to the WLAN, but networks running a fallback PC -- one that uses special software from WSC to monitor the Internet connection -- can continue to get access. The connections simply dummy down to standard wired equivalent privacy (WEP) encryption security in this case. The same log-in name can be used at other sites that utilize WSC Guard.

Right now, the company is offering a free trial to WSC Guard, and the company offers a list of supported WPA and 802.1X products on their Web site. The software is limited to Windows 2000 and XP users.

WPA is a subset of what's expected in the 802.11i standard for security. According to Ulrich Wiedmann, vice president of Software Development at WSC, "the authentication is basically identical. We'll move the service forward as the standards move forward. We'll provide the ability for the customers to ignore the [WLAN security] market."

Potential exists down the road for WSC Guard client to be offered to work with existing, installed RADIUS servers in enterprises, and for WSC to let third parties, such as hotspot networks or carriers, host their own RADIUS servers using WSC technologies. For now, they're concentrating on getting customers in the SMB space.

Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.