How To: Set Up an Internal RADIUS Server (Part 2)

By Eric Geier

December 12, 2008

Small businesses can save money and beef up security by purchasing an access point with a RADIUS server built in. In this two-part tutorial, we tell you how to set one up using the ZyXEL NWA-3160 as an example.

Small businesses can save money and beef up security by purchasing an access point with a RADIUS server built in. In this two-part tutorial, we tell you how to set one up using the ZyXEL NWA-3160 as an example. Read part one here.


In the first part of our series on setting up the built-in RADIUS server of the ZyXEL NWA-3160 AP, we walked readers through the initial IP configuration, so the AP can join the network. We also enabled the internal RADIUS server and inputted the AP and user information, and created a self-signed digital certificate that we installed on the server and our PCs. Now that the server side of the setup is completed, we will configure the APs and PCs with the appropriate settings in this final installment of this two-part series. Our goal is to provide affordable, enterprise-level WPA encryption with 802.1x authentication. Soon we’ll have a bullet-proof wireless network up and running, for a fraction of the cost and time it takes to set up a traditional RADIUS server.

Enable WPA/802.1x on the APs

The first step is to configure the APs (and wireless router, if one exists on the network) to use the WPA Enterprise encryption method and set the 802.1x/RADIUS settings. For more advanced APs, such as the NWA-3160, profiles are used. The security and RADIUS settings are applied to respective profiles and then they can be applied to a wireless profile. APs and wireless routers that are more basic have all the encryption and 802.1x settings on tab labeled Wireless or Wireless Security (or something similar), such as shown in Figure 1 (below).

Radius_Fig 1_sm.jpg

Figure 1. Click to enlarge.

Though we will discuss exactly how to configure the ZyXEL AP, here are the basic guidelines to follow when setting up any APs or wireless routers:

  • Enable WPA encryption: Select either WPA-Enterprise or WPA2-Enterprise (in some cases just referred to as WPA or WPA2), depending upon the version supported by the wireless clients. Some APs support a mixed mode where both WPA versions can be used concurrently.
  • Choose the algorithm or cipher type: Select TKIP if using WPA, AES if using WPA2, or both (or Auto) if using WPA-mixed mode.
  • Enter the RADIUS server IP address: This is the IP address of the NWA-3160 that is hosting its internal RADIUS server.
  • Enter the RADIUS server port: If the port of the NWA-3160’s internal RADIUS server hasn’t been changed from its default, enter 1812 for the port; otherwise enter the custom port.
  • Enter the shared secret: Enter the password created for the specific AP, defined earlier when the trusted APs were entered into the ZyXEL AP.

To configure the NWA-3160 with WPA-Enterprise to use its own internal server for authentication, follow these steps:

  1. Login to the Web-based configuration utility, click the Wireless section, and choose the RADIUS tab.
  2. For the Primary RADIUS Option, check the Internal radio button (see Figure 2) and click Apply.

Radius_Fig 2_sm.jpg

Figure 2. Click to enlarge.

  1. Choose the Security tab.
  2. Select the security01 profile, and click Edit.
  3. For the Security Mode, choose WPA and click Apply. Now the ZyXEL AP is set to use its very own RADIUS server for the 802.1x authentication process.

If multiple NWA-3160s are on the network, follow these steps to set up the others to use the NWA-3160 that’s hosting its internal RADIUS server:

  1. Login to the Web-based configuration utility, click the Wireless section, and choose the RADIUS tab.
  2. For the Primary RADIUS Option, check the External radio button and mark the Active checkbox.
  3. Enter the IP address of the ZyXEL AP that’s hosting the RADIUS server, enter the server port (by default, 1812), enter the Shared Secret for this particular AP, and click Apply. See Figure 3 for an example.

 

Radius_Fig 3_sm.jpg

Figure 3. Click to enlarge.

  1. Choose the Security tab.
  2. Select the security01 profile, and click Edit.
  3. For the Security Mode, choose WPA and click Apply. This AP is now set up to use the internal RAIDUS server of the other ZyXEL AP.

Configure the wireless clients with the WPA/802.1x settings

Once all the network infrastructure components are set with the appropriate encryption and authentication settings, the wireless clients can be configured. In Windows, this requires the administrator or user to manually create a profile (or preferred network entry) for the network, in order to set the 802.1x settings. After this initial configuration, users can connect to the network like any other wireless network and enter their username and password for access to the network.

Follow these steps to configure Windows XP with the appropriate settings:

  1. Double-click the wireless network icon in the system tray. If the icon isn’t visible, click Start, Network Connections, right-click the wireless connection, and select Properties.
  2. On the Local Area Connection Status window, click the Properties button.
  3. On the Local Area Connection Properties window, select the Wireless Networks tab.
  4. If an entry already exists for the network name or SSID of the WPA-enabled wireless network, select it and click Properties. If no entry exists, click Add.
  5. On the Association tab of the Wireless Network Properties window:
    1. Enter the desired SSID or network name, if adding a new entry.
    2. Select WPA or WPA2 for the Network Authentication field, based upon what version is set up on the RADIUS server.
    3. Choose TKIP for the Data Encryption field if using WPA or AES if using WPA2.
  6. On the Authentication tab (see Figure 4):
    1. Ensure Protected EAP (PEAP) is chosen for the EAP Type
    2. De-select both of the other checkboxes, unless the RADIUS server is specifically set up to accommodate these situations.

Radius_Fig 4.jpg

Figure 4.

  1. On the Authentication tab, click the Properties button and follow these steps on the Protected EAP Properties window (see Figure 5):
    1. Check the first checkbox, Validate server certificate.
    2. Uncheck the second checkbox, Connect to these servers.
    3. Select the CA certificate that’s installed on the AP’s internal RADIUS server from the list. If the AP’s self-signed certificate was used, it should start with NWA-3160, followed by the AP’s MAC address.
    4. Select “Secured password (EAP-MSCHAP v2)” for the Select Authentication Method field and click the Configure button. On the dialog box that appears, uncheck the option labeled Automatically use my Windows logon name and password (and domain if any), and click OK. Figure 5 shows both of these windows.

 

Radius_Fig 5_sm.jpg

Figure 5. Click to enlarge.

  1. Click OK on each of the windows to save the network settings.

Though configuring the network in Windows Vista is similar, here are the exact steps:

  1. Right-click the network icon in the system tray and select Network and Sharing Center.
  2. On the Network and Sharing Center window, click the Manage wireless networks link on the left task pane.
  3. If an entry already exists for the network name or SSID of the WPA-enabled wireless network, double-click it and skip to Step 6. If no entry exists, click Add and proceed with the steps as usual.
  4. If adding a new entry, click Manually create a network profile on the window that appears, enter the settings for the network, and click Next.
  5. On the Successfully Added window, click Change connection settings.
  6. On the Wireless Network Properties window, select the Security tab, and follow these steps:
    1. Ensure the security and encryption types are set correctly, based upon what version is set up on the RADIUS server.
    2. Uncheck or check the checkbox option as desired to save the user name and password when connecting.
    3. Ensure Protected EAP (PEAP) is chosen for the network authentication method.
  7. Click the Settings button and on the Protected EAP Properties window, follow these steps:
    1. Check the first checkbox, Validate server certificate.
    2. Uncheck the second checkbox, Connect to these servers.
    3. Select the CA certificate that’s installed on the AP’s internal RADIUS server from the list. If the AP’s self-signed certificate was used, it should start with NWA-3160, followed by the AP’s MAC address.
    4. Select Secured password (EAP-MSCHAP v2) for the Select Authentication Method field and click the Configure button.
    5. For the Select Authentication Method field, make sure Secured password (EAP-MSCHAP v2) is selected and click the Configure button. On the dialog box that appears, uncheck the option labeled Automatically use my Windows logon name and password (and domain if any), and click OK.
  8. Click OK on each of the windows to save the network settings.

Connecting to the WPA/802.1x wireless network

After configuring the network’s settings in Windows, select the network from the available wireless networks list, just like when connecting to other Wi-Fi networks. A notification in the lower right corner of Windows will appear about entering log-in credentials; click this alert. On the Enter Credentials dialog box that appears, enter a user name and password of an account set up on the AP’s internal RADIUS server, leaving the Logon Domain field blank, and then press Enter.

Wrapping it up

In Part 1, we configured the ZyXEL AP’s internal RADIUS server; in Part 2, we setup the APs and clients. If all went as planned, your computers should be able to connect to the 802.1x authenticating and WPA-encrypted network now. Though Wi-Fi eavesdroppers won’t be able to crack the encryption, remember we’ll always have security concerns. Make sure users keep their username and password to themselves; they are the key to the network now. However, remember these login credentials can always be changed if they, or a computer, have been comprised.

Eric Geier is the Founder and President of Sky-Nets, Ltd., a Wi-Fi hotspot network. He is also the author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft® Windows Vista (Que 2007).



Comment and Contribute
(Maximum characters: 1200). You have
characters left.