March 24, 2010
If you're looking for solid, no-frills RADIUS with a reasonable cost, AuthenticateMyWiFi is worthy of serious consideration
Price: From $13 to $36 per month ($130 to $360 per year), depending on number of users and access points needed.
Pros: Simple set up and maintenance; platform-independent; supports multiple locations; inexpensive
Cons: Crude user interface; lacks advanced features found in many conventional RADIUS products.
When you need to secure a business Wi-Fi network, using the popular Pre-Shared Key (PSK) flavor of WPA or WPA2 (a.k.a. WPA/WPA2 Personal) is good, but it's not really good enough if you want the most secure wireless network possible. For that, you need WPA/WPA2 Enterprise, which performs authentication against a RADIUS server, but adding a RADIUS server to a network typically involves a level of cost and/or complexity that many companiesparticularly small onesare unable or unwilling to bear.
AuthenticateMyWiFi's offers such firms a hosted RADIUS authentication service promising straightforward setup and administration as well as a modest price tag, and although the features list is basic and the administration UI is a bit too Spartan, AuthenticateMyWiFi does deliver on its promises. (Editor's Note: AuthenticateMyWiFi is operated by periodic Wi-Fi Planet contributor Eric Geier.)
When compared to a traditional server-based RADIUS product, the hosted nature of AuthenticateMyWiFi imparts a few important benefits right off the bat. For starters, there's platform independence, and thus no need to be concerned about compatibility with Windows, Mac, or Linux. Also, since it's Web-based, AuthenticateMyWiFi can be administered—both locally and remotely—from any Internet-connected browser. Finally, the service can support access points in several locations, eliminating the need to have RADIUS servers in multiple offices or to configure a single server to traverse NAT and firewalls in order to communicate with remote offices.
Server, AP and User Account Setup
The first step to getting AuthenticateMyWiFi up and running involves setting up access points and user accounts through the Web-based administrative control panel. Depending on the level of service you choose, AuthenticateMyWiFi will accommodate up to 100 access points and an equal number of user accounts, but you must create each AP entry and user account manuallyat the moment, there's no provision to pull in users from a back-end database or to import user/AP lists from a text or CSV file. (The vendor reports that both features are planned, with the latter scheduled to appear first.) Luckily, AuthenticateMyWiFi's administration control panel is exceedingly simple, and not a lot of information is needed—MAC address and shared secret for APs, name and password for user accounts—so the setup process is quick and easy provided you're only dealing with a handful of APs or users.The next step, which is equally swift and straightforward, is to configure access points to use WPA/WPA2 Enterprise, which involves pointing them to AuthenticateMyWiFi's IP address, specifying UDP ports for RADIUS authentication and accounting (the service uses the default of UDP 1812 and 1813) and entering the aforementioned shared secret.
One caveat: While attempting to configure a Netgear WNDR3700 to use RADIUS, we discovered that the router would reject as invalid any RADIUS server IP address that was outside the local subnet, in spite of the fact that the documentation explicitly stated the RADIUS server could be on the LAN or WAN side. We don't know how prevalent this issue is with other makes and/or models of Wi-Fi hardware, and although it's not something you're likely to encounter when dealing with enterprise-level equipment, small businesses using SoHo or consumer-level devices might want to check them in advance to make sure they don't preclude you from using an outside RADIUS server.
The final step is to configure all the clients (they can be wireless or wired) to connect to Wi-Fi via 802.1x authentication. This is potentially the most involved and time-consuming part of the process (especially if you have lots of clients), but fortunately, AuthenticateMyWiFi's 14-page PDF manual provides detailed instructionscomplete with illustrative screen shots—on how make the proper configuration changes to Windows (XP/Vista/7) and Mac OS X systems. (The vendor says it's also working on a utility that will automate the client configuration process for Windows systems.)
Incidentally, AuthenticateMyWiFi only supports one of the half-dozen or so EAP types officially certified by the Wi-Fi Alliance, but it is arguably the most popular one, PEAPv0/EAP-MSCHAP v2, which provides authentication via username and password.
Access Restrictions and Logging
If you want to have AuthenticateMyWiFi restrict access to your network under certain conditions, you have several options to choose from. You can limit a user's access to particular access points or from specific computers, restrict network access to scheduled times and days of the week, and set user accounts to expire on a given day and time. (One missing option that we'd like to see is the ability to lock out a user after a certain number of bad passwords.)
The bare-bones nature of AuthenticateMyWiFi's user interface goes from help to hindrance when trying to configure the aforementioned access restrictions, though. Case in point: when creating a device or access point restriction for a user, you must type in the appropriate MAC address rather than being able to pick one from a list. Similarly, when setting up login time restrictions there are no pick lists or drop down menus for entering the parameters. Instead, you must specify time restrictions in a single field via alphanumeric shorthand—e.g. Wk0800-2000, Sa 0900-1200 to allow access only from 8 a.m. to 8 p.m. weekdays and from 9 a.m. to noon on Saturdays—and be careful to enter the information correctly as there's no warning if you enter invalid parameters or commit a typo (in fact, the field will accept gibberish without protest). Plus, you can't specify a time zone, so all times must be expressed in terms of Eastern time.
AuthenticateMyWiFi's activity log records basic session info like a user's client MAC, the MAC and SSID of the connected access point, as well as the time a user logs in and out of the network. The logs can only be viewed live from the control panel, not outputted to a file for offline scrutiny. Also there's no support for alerting upon events like failed logins, etc.
AuthenticateMyWiFi offers a four-tier pricing scheme that compares very favorably to the $600-$800 starting price tag typical of most conventional RADIUS product. The base service level accommodates up to 10 users and up to 5 access points at a cost of $13 per month or a discounted price of $130 if paid a year up front. On the high end, $36 per month or $360 yearly scales the service up to support from 61 to 100 users and 31 to 100 access points, and also adds the ability to automatically assign users to VLANs, a feature which the lowest tier lacks. All plans include tech support via e-mail. (There's also a free version of the service, but its practical usefulness is quite limited since it's restricted to a single access point and a lone user.)
The Bottom Line
AuthenticateMyWiFi doesn't offer the same level of power and flexibility found in many third-party RADIUS servers products or in free or effectively free products like the open-source, Linux-based, FreeRADIUS or IAS/NPS (Internet Authentication Service/Network Policy Server) in Windows Server 2003 and 2008, respectively. But it also doesn't offer page after page of labyrinthine configuration options or a high price tag, so if you're looking for solid, no-frills RADIUS with a reasonable cost, AuthenticateMyWiFi is worthy of serious consideration.