How To: Set Up an Internal RADIUS Server (Part 1)

Small businesses can save money and beef up security by purchasing an access point with a RADIUS server built in. We tell you how to set one up using the ZyXEL NWA-3160 as an example.

---

In our recent five-part tutorial series, WPA-Enterprise for Small Businesses, we discussed how WPA-Enterprise provides superior authentication and encryption to deter Wi-Fi eavesdroppers and hackers. A RADIUS server, required for the 802.1x authentication, can be obtained in a few ways, one of which is to purchase an access point (AP) with one built in. Going this route provides a low-cost, easy-to-setup, solution for small businesses looking to build an extremely secure, but affordable, Wi-Fi network. Instead of spending $600+ (up to thousands of dollars) for a traditional RADIUS server, a small business or individual consumer can purchase an AP that includes a simple RADIUS server for just $100 to $200.

In this new two-part tutorial, we will walk readers through step-by-step instructions for setting up an AP’s internal RADIUS server. For this series, we used the NWA-3160 AP from ZyXEL. The beauty of this solution is the simplicity of the money-saving workaround. Even if you already have an existing wireless network, you can add a single NWA-3160 (or another other similar AP) and use its RADIUS server for the network, enabling 802.1x authentication and WPA-Enterprise encryption implementation at a fraction of the cost of a traditional server. In other words, only one  NWA-3160 is needed; it can serve as the RADIUS server for all the other APs on the network.

If yours is a very basic WLAN—based on a single wireless router—the NWA-3160 should be connected to the router via one of the Ethernet ports on the back. Then you can follow the steps in this tutorial. For larger Wi-Fi networks, the ZyXEL AP could be added anywhere along the string of existing APs. The other APs on the network should then be configured to use the internal RADIUS server of the NW-3160. If you are currently in the process of designing an advanced Wi-Fi network, the NWA-3160 can be chosen as the model for all the APs, even though only one is required for using its internal RADIUS server.

In Part I of this tutorial, we’ll get the NWA-3160 talking with the existing network, turn on the internal RADIUS server, and get the digital certificate for the server and clients sorted out. Part II will conclude by stepping through setting up the APs and preparing the clients for the connection.

Configure the basic settings

Before beginning the configuration of the internal RADIUS server, we need to set the basic (LAN) settings to make the AP apart of the existing network. First, plug the AP into an electrical outlet and connect wirelessly to the AP from a computer. Since the AP can’t give an IP address to the computer (as it doesn’t have a DHCP server) and the AP isn’t set up to communicate with the router (that hands out IP addresses from it’s DHCP server), an IP address won’t be given to the computer’s network adapter.

For now, we’ll configure the network adapter of the computer with a static IP address and subnet mask that is within the same default subnet of the AP. For example, an IP address of 192.168.1.3 and subnet mask of 255.255.255.0 would work for the NWA-3160, as Figure 1 shows.

Figure 1

Then access the Web-based configuration utility by entering the AP’s default IP address (192.168.1.2 for the NWA-3160) into a Web browser and use the default password (1234 for the NWA-3160) to login. Now go to the IP section and change the AP’s default IP settings (see Figure 2) to match your existing network.

Figure 2

If the IP address of the router on the existing network is 192.168.1.1, just leave the default IP address and subnet mask of the AP, but enter the router’s IP address for the gateway IP address value. Keep in mind, IP addresses must be unique. Therefore, if setting up multiple APs, the following addresses could be set for different APs: 192.168.1.2, 192.168.1.3, 192.168.1.4, 192.168.1.5, and so on. If the router’s IP address is 192.168.0.1, the following addresses would work for the APs: 192.168.0.2, 192.168.0.3, 192.168.0.4, and so on. In most cases, the subnet mask of 255.255.255.0 will work with any router IP address. Remember, the gateway IP address is the address of the router on the network.

After the appropriate IP settings have been set for the AP, computers connecting to the new AP(s) will now be given IP addresses automatically. That is if the DHCP server on the router of the network hasn’t been disabled and a static IP address scheme created. If the network is using DHCP, the computer that was used to set the AP’s initial settings can be set back to obtain an IP address automatically; it doesn’t need to be configured with a static address anymore. If the network is not using DHCP, the network adapter can changed to the appropriate static IP settings.

To finish the basic install of the AP, find an optimum spot for the AP and connect it to the existing network (a router or switch) via an Ethernet cable.

Enable the internal RADIUS server

After configuring the AP to work with the existing network, access the settings for the internal RADIUS server by clicking the AUTH. SERVER link from the Web-based configuration screen. Make sure the Active check box is marked (see Figure 3), which enables the server.

Figure 3

Next, click the Trusted AP tab and enter the IP addresses of all the APs on the network, each with a unique shared secret. Figure 4 shows an example. Don’t forget to click the Active check box for each AP entry.

Figure 4

Tip: When creating shared secrets for APs, choose a long mixed-character and mixed-case password, specifically up to 31 alphanumeric characters. Later, these passwords are entered into the APs and are essential to encrypting the network; so keep a copy of them in a safe place. The same goes with the account passwords, which can be up to 14 characters in length; use strong passwords and keep them safe. For more on how to create secure passwords, click here.

Next, select the Trusted Users tab and create a user name and password for each person who will access the network, being sure to selecting Active for each entry. These are the username and password combinations that users will use when connecting to the Wi-Fi network.

Configure and distribute the digital certificate

Our setup is designed to have the wireless clients verify the identity of the RADIUS server before a connection is established. This helps to prevent the possibility of someone setting up a fake or rogue AP to extract the usernames and passwords people use to connect. Digital certificates are used for this verification process. The certificate loaded on the RADIUS server must be from a certificate authority (CA) that’s trusted by the computer, such as VeriSign. When a self-signed certificate is used instead (such as the one the NWA-3160 creates), users typically have to manually install the certificate on the computer in order for the verification process to work. This is because the certificate is not from a CA that the computers automatically trust.

We can load a certificate on the RADIUS server of the AP by either using the built-in utility of the NWA-3160, which creates a self-signed certificate, or by uploading a certificate purchased by a third-party CA. If using the built-in utility, make sure to replace the factory certificate with one that is unique. This certificate (which is based upon the NWA-3160’s MAC address) can be created after logging into the AP for the first time, on the Replace Factory Default Certificate page that appears. If this step was skipped or ignored, another option is to go to the CERTIFICATES section of the AP’s configuration screen and click the Replace button. To upload a third-party certificate, click the Import button in the CERTIFICATES section.

If using a self-signed certificate, each Windows computer that will use the WPA-Enterprise network will need to have the same digital certificate installed. If a certificate was purchased from a CA that Windows automatically recognizes, this isn’t necessary however. In addition, installing the certificates (whether self-signed or not) on Mac OS X machines isn’t required.

The first step to get the self-signed certificate on the Windows computers is to export the server certificate to a .crt file. On the CERTIFICATES section of the AP’s configuration screen, click the Details button, scroll down the details page, and click the Export button. On the Save As box, browse to a location to save it, add the .crt extension to the file name, and click Save.

To install the certificate on a Windows computer, right-click the .crt file and choose Install Certificate. On the Certificate Import Wizard that appears, click Next. Then select the Place all certificates in the following store option, click Browse, choose the Trusted Root Certification Authorities store, and click OK. Then click Next to move to the next screen and click Finish from there.

Part 2 of this tutorial discusses the remaining steps (configuring the APs and wireless clients with the WPA/802.1x settings).

Eric Geier is the Founder and President of Sky-Nets, Ltd., a Wi-Fi hotspot network. He is also the author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft® Windows Vista (Que 2007).