Using RADIUS For WLAN Authentication, Part II

By Lisa Phifer

December 10, 2003

There's a lot of RADIUS options, from doing it yourself, to skipping it, to outsourcing. We invesitigate them all and put a focus on what it takes to outsource with a service like WSC Guard.

In part one of this tutorial, we saw how RADIUS servers provide the foundation for 802.1X Port Access Control. We considered deployment options for businesses that want to use 802.1X, like running your own authentication, authorization and accounting (AAA) server or purchasing a Managed Authentication Service. Now we take at look at costs involved in purchasing a RADIUS server, accompanied by one outsourcing example.

Options and Costs

Businesses that want to improve WLAN security but don't have an 802.1X-capable RADIUS Server have many deployment options.

Deploy WPA with Preshared Keys: Upgrading your WLAN from Wired Equivalent Privacy (WEP) to Wi-Fi Protected Access (WPA) can be done without RADIUS by using Preshared Keys (PSK) instead of 802.1X. Preshared Keys can't individually-authenticate your users, and poorly-chosen values leave you vulnerable to dictionary attack. Nonetheless, if your business risk and IT budget are both very small, WPA-PSK could be right for you.

Use Microsoft's RADIUS Server: If you have a Microsoft Windows 2000/2003 Server with spare capacity, consider using Microsoft's Internet Authentication Service (IAS). There are many books and guides on how to set up IAS; for example, see Foundry Network's 802.1X Port Authentication with Microsoft's Active Directory paper. IAS requires a Windows-savvy IT staff and works best if all your users run Windows. It may also take advantage of Microsoft's Wireless Provisioning Service, to be released 1Q04.

Install an Open Source RADIUS Server: If you're not a Windows shop and have a penchant for breaking your knuckles on open source code, you may want to check out FreeRADIUS. This 802.1X-capable open source Server is still beta code, so caveat emptor. To go this route, you'll need spare time, UN*X know-how, and a box running Linux, Free or OpenBSD, OSF/Unix, or Solaris to host your Server.

Buy A Commercial RADIUS Server: In the long run, fully-supported commercial products can save you time, and time means money. 802.1X-capable RADIUS Server products are available from a variety of sources, including:

Commercial RADIUS Servers vary in price and capacity. For example, Interlink's Secure.XS starts at $2375 for 250 users. $2500 will also buy you one Funk Odyssey Server, including 25 Odyssey Client software licenses. VOP Radius Small Business starts at $995 for 100 users. A single-server Radiator license will run you $720.

RADIUS servers are also available in hardware/software combo packages. For example, Funk's Steel-Belted Radius is available on a Network Engines appliance for $7500. LeapPoint's AiroPoint 3600-SE appliance starts at $2,499 for 50 clients. All of these prices are examples, subject to change, so refer to vendor Web sites and call their sales people for official pricing.

Pay Someone Else To Do It For You: Some small businesses don't have staff to install in-house servers, much less maintain them. If that sounds like your company, then consider an outsourced solution. For example, the Wireless Security Corporation offers WSC Guard, a managed 802.1X service which starts at $89 per year per user, dropping to $59 at 1000 users.

The rationale behind any managed service is eliminating capital investment, simplifying administration, and cutting total cost by leveraging the provider's infrastructure and expertise. Large organizations have security staff and IT infrastructure and can benefit from customizing their RADIUS Servers -- for example, by integrating with back-end databases. But smaller businesses may benefit from hiring someone else to cover all of that. A C2 Company study, commissioned by WSC, estimated that a 10-user company can save $15K over three years by using WSC Guard vs. Microsoft IAS. This gap narrows as the user base grows; in this example, total cost converged at 250 users.

Pages: 1 2


Comment and Contribute
(Maximum characters: 1200). You have
characters left.