Using RADIUS For WLAN Authentication, Part II
December 10, 2003
There's a lot of RADIUS options, from doing it yourself, to skipping it, to outsourcing. We invesitigate them all and put a focus on what it takes to outsource with a service like WSC Guard.
In part one of this
tutorial, we saw how RADIUS
Options and Costs
Businesses that want to improve WLAN security but don't have an 802.1X-capable RADIUS Server have many deployment options.
Deploy WPA with Preshared Keys: Upgrading your WLAN from
Wired Equivalent Privacy (WEP)
Use Microsoft's RADIUS Server: If you have a Microsoft Windows 2000/2003 Server with spare capacity, consider using Microsoft's Internet Authentication Service (IAS). There are many books and guides on how to set up IAS; for example, see Foundry Network's 802.1X Port Authentication with Microsoft's Active Directory paper. IAS requires a Windows-savvy IT staff and works best if all your users run Windows. It may also take advantage of Microsoft's Wireless Provisioning Service, to be released 1Q04.Install an Open Source RADIUS Server: If you're not a Windows shop and have a penchant for breaking your knuckles on open source code, you may want to check out FreeRADIUS. This 802.1X-capable open source Server is still beta code, so caveat emptor. To go this route, you'll need spare time, UN*X know-how, and a box running Linux, Free or OpenBSD, OSF/Unix, or Solaris to host your Server.
Buy A Commercial RADIUS Server: In the long run, fully-supported commercial products can save you time, and time means money. 802.1X-capable RADIUS Server products are available from a variety of sources, including:
- Aradial WiFi
- Bridgewater Wi-Fi AAA
- Cisco Secure Access Control Server
- Funk Odyssey
- IEA RadiusNT
- Infoblox RADIUS One Appliance
- Interlink Secure.XS
- LeapPoint AiroPoint Appliance
- Meetinghouse AEGIS
- OSC Radiator
- Vircom VOP Radius
Commercial RADIUS Servers vary in price and capacity. For example, Interlink's Secure.XS starts at $2375 for 250 users. $2500 will also buy you one Funk Odyssey Server, including 25 Odyssey Client software licenses. VOP Radius Small Business starts at $995 for 100 users. A single-server Radiator license will run you $720.
RADIUS servers are also available in hardware/software combo packages. For example, Funk's Steel-Belted Radius is available on a Network Engines appliance for $7500. LeapPoint's AiroPoint 3600-SE appliance starts at $2,499 for 50 clients. All of these prices are examples, subject to change, so refer to vendor Web sites and call their sales people for official pricing.
Pay Someone Else To Do It For You: Some small businesses don't have staff to install in-house servers, much less maintain them. If that sounds like your company, then consider an outsourced solution. For example, the Wireless Security Corporation offers WSC Guard, a managed 802.1X service which starts at $89 per year per user, dropping to $59 at 1000 users.
The rationale behind any managed service is eliminating capital investment, simplifying administration, and cutting total cost by leveraging the provider's infrastructure and expertise. Large organizations have security staff and IT infrastructure and can benefit from customizing their RADIUS Servers -- for example, by integrating with back-end databases. But smaller businesses may benefit from hiring someone else to cover all of that. A C2 Company study, commissioned by WSC, estimated that a 10-user company can save $15K over three years by using WSC Guard vs. Microsoft IAS. This gap narrows as the user base grows; in this example, total cost converged at 250 users.