Remote Authentication Dial-In User Service (RADIUS) servers provide centralized Authentication, Authorization and Accounting (AAA) management. They can also now provide the required 802.1X authentication for using the Enterprise mode of WPA/WPA2 security for your Wi-Fi.
There are many issues that can arise when deploying a RADIUS server. Today we'll share a few tips to help you avoid some common mistakes.
Not Using the Right Server for You
There are many options when it comes to choosing a RADIUS server. While there are numerous RADIUS commercial servers that tout their performance and ease of use, there are also free solutions available that claim to be even better. Then there’s hosted solutions that provide cloud RADIUS services. But which server is best for you?
If you have enough spare time and command-line software doesn’t scare you off, perhaps try the free and open source solution called FreeRADIUS. If you have room in the budget and can spare some time, consider purchasing RADIUS server software. However, if you don’t want to bother with setting up your own server at all, consider a hosted or cloud-based RADIUS server and you could be up and authenticating within minutes.
Not Considering Purchasing a Security Certificate
When setting up a RADIUS server you'll install at least one a security (SSL) certificate on the server so that, for instance, clients can validate the server before continuing with their authentication. You can create your own certificate authority (CA) and generate a self-signed certificate, which is free and generally more secure.
However, purchasing a certificate from a popular CA like VeriSign, Comodo or GoDaddy is usually easier since many operating systems already have their CA certificate installed. To perform server validation when using your own CA, you’d have to distribute the CA certificate to the clients.
Carefully weigh the pros and cons of creating your own certificates versus purchasing them. Using your own is usually the most secure, but not if you don’t distribute the CA certificate.
Not Deploying Dynamic VLANs
If your network utilizes virtual local area networks (VLANs), a RADIUS server can greatly ease assigning users or computers to their correct VLAN. Using a RADIUS server, you can dynamically assign the users or computers to their VLAN instead of creating virtual SSIDs for each VLAN, which can tie up precious airtime on the wireless network.
With a RADIUS server you can have a single SSID that all users connect to, protected with WPA2 enterprise security, and then the RADIUS server will assign them to their VLAN designated in your backend user database.
Forgetting About the Client Settings
Though a RADIUS server can help improve security, such as when used with enterprise Wi-Fi security, there still certainly are vulnerabilities. As already touched on, clients can perform a validation on a RADIUIS server before authenticating to ensure they’re talking to the correct server rather than a fake one that has been set up for a man-in-the-middle attack. So take a look at the client settings to make sure they’re actually performing this validation.
For more details on server validation and client settings, see our previous articles: Enabling Server Validation for Windows and Android 802.1X Clients and Configuring 802.1X Server Settings for Apple Devices.
Eric Geier is a freelance tech writer -- keep up with his writings on Facebook. He's also the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, an on-site RF site surveying and other computer services company.