By Eric Geier
August 08, 2008
Learn the basics of an 802.1x RADIUS server environment and the steps to setting it up to run WPA-Enterprise encryption.
- Ask the Wi-Fi Guru, Episode VI
- WPA-Enterprise for Small Businesses (Part I)
- Linux Wi-Fi Works with wicd
- Ask the Wi-Fi Guru, Episode V
In the first installment of this tutorial series, you discovered that WPA-Enterprise encryption is the way to go if you desire a bulletproof Wi-Fi network. You also found out a few ways you can go about setting up this encryption method for your small or home office network. This tutorial will continue by introducing you to the basics of an 802.1x RADIUS server environment and the steps to setting it all up. You’ll soon be on the road to running your very own server for WPA-Enterprise encryption.
Interworkings of an 802.1x RADIUS Server Setup
For the most part, 802.1x RADIUS servers are set up and work in a similar manner to one another. The RADIUS server software acts as the gateway to the network; users must pass it before they’re allowed access to the network and the Internet. It receives requests that originate from users and sends back messages to approve or deny users to connect to the wireless network. This request may contain, for example, a user name and password, which the RADIUS server checks against a user database (Active Directory, SQL database, MS Access, server’s built-in database, etc.). The messages to and from the users and the RADIUS server go through a coordinator or middleman, called a network access server (NAS) or RADIUS client, such as your wireless router or APs.
Figure 1 (below) shows a simplistic example of these components and the process of authenticating a user onto a wireless network.Another component you should be familiar with in this type of environment is a digital certificate. When you set up a RADIUS server, you install a digital certificate (a small file that serves as a computer’s ID) on the server. During the authentication process, the user computer validates whether the RADIUS server is trustworthy. The computer does this by running the digital certificate installed on the server through a Certificate Authority (CA) that vouches for the server’s identity. A digital certificate is comparable to a signed letter stating a person’s identity, a CA is similar to a public notary, and the CA’s official verification of the computer’s identity being the equivalent as an affidavit.
For most small business and home deployments, using a third-party CA is not cost-effective. In these instances, the same digital certificate that’s installed on the RADIUS server must also be installed on the user computers. For easier configuration of computers on larger networks, a certificate designed for WLAN authentication and signed by a trusted authority (such as Verisign) can be purchased. Instead of manually installing a self-signed certificate on all your computers, the computers would validate the server’s identity using a real CA that’s by default trusted by Windows.
Figure 1. The authentication standard represented in Figure 1 and explained in this section is that of Protected Extensible Authentication Protocol (PEAP).
Basic Steps of Setting Up a RADIUS Server
Before you dive headfirst into installing and configuring, you should review the overall steps to setting up your WPA-Enterprise network using an 802.1x RADIUS server:
- Choose and download the server software: You’ll need to choose which server you want to use and download the software from the vendor’s Web site. The Elektron, Evolynx, and ClearBox servers all offer 30-day fully functional free trials. This is great if you want to compare products or if you aren’t sure you want to make the financial investment of hundreds of dollars. If you are comfortable working within the Linux platform and have more time on your hands than money, you could consider using the open source FreeRADIUS server.
- Prepare your server PC: First you’ll have to prepare the computer on which you want to install the server software, which we’ll discuss further in the next section.
- Install the server software: During the initial installation of the server software, through setup wizards, or by manually configuring settings through the admin utility, you’ll need to perform these general tasks:
- Install a digital certificate: If you aren’t purchasing a certificate through a third-party CA, this involves using a wizard that comes with the RADIUS server to generate a self-signed certificate. Then you would add the certificate to the RADIUS server, if it isn’t already done automatically. Next you would export the certificate to a file and install it onto each computer that’s going to be connecting to your wireless network.
- Input RADIUS client (AP) details: You’ll need to create a RADIUS client entry for each wireless router or AP on your wireless network. The two main attributes are the IP address of the router or AP and a password, called the Shared Secret, for the particular device. For optimum security, use a long password with mixed case and character types; just don’t forget it, as you’ll have to input this password into the particular router or AP.
- Set up an authentication realm or domain: This is a setting on the server that tells it how to handle the authentication process. For example, it tells the server what database to authenticate users against. For small networks, the most you’ll likely have to do is edit the default realm or domain to check against the server’s built-in or default database.
- Add users to the database: If you don’t already have a database containing your user information, such as Active Directory, you’ll probably need to populate the server’s built-in or default database with usernames and passwords.
- Setup your wireless router and/or APs: After you have your RADIUS server all set up, you can configure your wireless router and/or APs with the WPA-Enterprise encryption method. You’ll likely only need to input two pieces of information into the Web-based configuration utility of each AP: the IP address of the device and the password or Shared Secret you inputted into the server for the device.
- Configure your computers: Lastly, you would set up your computers with the appropriate settings for WPA-Enterprise encryption, according to the settings you’ve specified when setting up your RADIUS server. If you are going the self-signed route for your digital certificates, you must install the certificate on all your computers, if you haven’t already. Otherwise configuring your computers won’t require more than a little fiddling around with the settings for the preferred network entry in Windows.
That’s it in a nutshell; now we’ll go step-by-step through the process.
Preparing your server PC
You need to choose which computer you’re going to install the server software on, which we’ll call the server pc. It’s best to dedicate a computer solely for the purpose, however, if it isn’t super-critical to have your wireless network up 24/7, you can get away with using the PC for day-to-day tasks in addition to hosting your authentication server. Remember, if the server PC is shut down, restarting, or crashes, users can’t connect to your wireless network. Users already authenticated and connected should still be able to use the network when the server PC is down, but they can be kicked off after their session times out and needs to communicate with the server again.
The server PC will need to be hooked directly into the network via an Ethernet cable rather than wirelessly. In addition, the PC should have a static IP address as opposed to having an address assigned automatically to it by using DHCP. This is because you’re going to be inputting the IP address of the server PC into your wireless router and/or access points (APs), thus it needs to remain the same. You can either assign a static IP address to your computer in Windows (on the TCP/IP Properties window of your network connection) or use a DHCP reservation feature on your router to ensure your server PC always receives the same IP address.
Stay tuned—the next installments will take you through the remaining steps to get a RADIUS server installed and WPA-Enterprise security running on your Wi-Fi network.
Eric Geier is the Founder and President of Sky-Nets, Ltd., a Wi-Fi hotspot network. He is also the author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft® Windows Vista (Que 2007).