Low-cost RADIUS servers for Wi-Fi security

Remote Authentication Dial-In User Service (RADIUS) servers are common in enterprise networks to offer centralized authentication, authorization and accounting (AAA) for access control. But RADIUS servers can also be useful in small and midsize networks to enable 802.1X authentication and WPA2 (802.11i) security for Wi-Fi nets.

We tested four RADIUS servers that smaller businesses might consider: Elektron, ClearBox, Microsoft's Network Policy Server from Windows Server 2008 R2, and FreeRADIUS.

We measured ease of installation and configuration, quality of the documentation and the ability to customize configurations. All of the vendors scored well, with ClearBox on top and Elektron a close second, and FreeRADIUS and Windows Server NPS tying for third.

Elektron ($750) is a good entry-level and user-friendly server. ClearBox ($599) is a great choice for small networks, but it also scales to larger networks. Microsoft Windows Server 2008 R2 NPS is likely a given for organizations already running a Windows Server, as long as they don't need all the advanced features and database support. And FreeRADIUS (open source) is a solid and economical choice for Unix/Linux admins offering the most customization and flexibility.

Here are the individual reviews:

Elektron

The Elektron RADIUS server from Periodik Labs is a Windows GUI-based server that's targeted toward wireless authentication for small and midsize networks, but supports other AAA purposes as well. It's offered as a 30-day free trial and then costs $750 for a single server license.

Elektron can run on Windows XP Pro, Vista, Windows 7 and Windows Server 2003 and 2008. There's also a Mac OS X edition that runs on 10.5 or later or with an Intel Core Duo or better processor. Both require at least 512MB of memory and 20MB of free disk space.

Elektron supports the following authentication methods: PEAP, TTLS, EAP-FAST, EAP-TLS, LEAP, PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MS-CHAPv2, EAP-MD5, EAP-GTC, and EAP-OTP. It also supports the following databases for the user account data: Internal database (configurable via the GUI called Elektron Accounts), Windows accounts, Mac OS X Directory Services, Active Directory and other LDAP directories, SQL and other ODBC compliant data sources, Remote RADIUS servers and Script.

We tested Elektron Version 2.2 in Windows Server 2008 R2 on a VMware virtual machine. The installation was very simple and only took about a minute. It uses a typical Windows installer and didn't prompt us for any server-related settings.

Immediately after the installation we found a Setup Wizard to help configure Elektron for wireless authentication. It prompted us to create a password (shared secret) for a wireless access point (RADIUS client) and helped configure/create a server certificate. The wizard was helpful, but could be improved by allowing you to enter passwords for individual access points rather than creating a catch-all entry for any access point, which is a less secure method.

After using the Setup Wizard we were left in the dark as to our next step. Since we're experienced with the RADIUS process, we knew we had to configure the Authentication Provider (we used the internal database) and input user account info (we created a user on the Elektron Accounts page). But those not familiar with RADIUS might be confused because the wizard doesn't cover this and the Getting Started section in the documentation skips it as well. Nevertheless, after configuring our wireless access point with WPA2-Enterprise we were able to authenticate via Protected Extensible Authentication Protocol (PEAP).

While reviewing the Authentication settings we found we could add multiple Authentication Providers and dynamically assign users to them based upon their Domain or Access Point Group, with support for stripping the domain from the incoming username. We also found supports for MAC address authentication, which, while not the most secure method, can be used to authenticate devices that don't support 802.1X security or other protocols supported by Elektron. Another notable feature is the ability to block logins after multiple failed password attempts.

Authentication settings in Elektron

In the Authorization settings, we could create custom polices. We could deny connections, assign users to virtual LANs, append custom RADIUS response attributes or execute a script based upon various triggers: login time, username, user group, access point group, media access control address group or the result of a script. These provide the authorization functionality SMB networks usually require, but don't provide the full customization ability larger or service provider networks might require.

In the Accounting section we found basic access and error logs, viewable only in the GUI and not able to be sent to a database. We were impressed with the Event Handler feature that allows you to easily enable notifications on events like logins, failed logins, password lockouts and errors.

In the main server settings Elektron supports remote administration so you can manage the server from other PCs, and server replication in case you want to set up a backup server.

Overall, Elektron is a solid, attractive, and user-friendly server. Though the Getting Started section in the documentation could be improved, generally it was informative and useful, and should be understandable by those less experienced with RADIUS. Elektron is a great option for small and midsize networks.

ClearBox Enterprise RADIUS Server

ClearBox Enterprise RADIUS Server from XPerience Technologies is a Windows-based RADIUS server that can serve the AAA needs of small businesses or even large networks with millions of users, according to the company. Like the Elektron RADIUS server, ClearBox is a GUI-based program. The company offers a 30-day free trial and then charges $599 for a single server license.

ClearBox can run on any Windows platform from Windows 2000 up to Windows 7 and Windows Server 2008 R2. It requires only a Pentium II or higher processor, 256MB or more of memory, and at least 16.6MB of free disk space for the full install.

ClearBox supports the following authentication methods: PEAP, EAP-TLS, PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MS-CHAPv2, EAP-MD5, SIP and ARAP. ClearBox allows the use of concurrent data sources and supports: Internal database (configurable via the GUI called Users Manager), Windows accounts, Active Directory and other LDAP directories, SQL and other ODBC and OLE DB compliant data sources, and Remote RADIUS servers.

We tested using ClearBox Version 5.7, released in March, in Windows Server 2008 R2 on a VMware virtual machine. The installation was simple and took less than two minutes. It uses a typical Windows installer and only prompts you for three server-related settings: the mode (Normal or Debug), the Control Centre password and whether you want to enable wireless authentication.

After finishing the install, the ClearBox Manual is by default set to automatically appear. We found the documentation to be thorough, but quickly noticed some slight inconsistencies. For example, some button names mentioned differ from what is on the GUI and the instructions for testing the server after setup were incomplete. Nevertheless, we were able to quickly configure ClearBox for PEAP wireless authentication, including creating a server certificate via the Certificates Wizard.

We also tried out the Configuration Wizard that helps those less-experienced in RADIUS understand and set the basic settings: adding RADIUS Clients and selecting a user database. We found this wizard informative and easy-to-use.

After configuring our wireless access point with WPA2-Enterprise and successfully authenticating via PEAP, we poked around the advanced ClearBox settings. We found it supported multiple realms, so incoming requests can be handled via a different set of authentication, authorization and accounting settings based upon the username, client IP, RADIUS attributes, Windows group membership or custom SQL result. Additionally, it supported username rewriting in case you require processing requests without a domain name.

Authorization settings can always be manually created in the Black, Check, Response and Reject-Response lists using any RADIUS attributes and values. But authorization settings are also configurable via the Users Manager, if you're using the ClearBox internal user database, which include settings to enforce login hours, set time credits, set per-user concurrent session limits and restrict logins to a specific client using its MAC address.

In the Accounting settings, we could log accounting details to the internal database, an external database or a file. Interestingly, it also included the ability to cache accounting data if the database is unavailable. Though not indicated in the GUI, ClearBox also supports third-party billing systems, including DTH Billing and Customer Management, Advanced ISP Billing and Platypus Billing System.

Other logging features include a Server Statistics page to view a rundown of packet types sent and received, an Online Logging page to view real-time activity and text-file logging of server errors and RADIUS packets.

In the main Server Settings, ClearBox supports remote administration, server replication in case you want to set up a backup server, advanced RADIUS settings and advanced logging settings. And another notable feature is the ability to enable monitoring and alerting that can automatically restart the server and send an email alert if ClearBox stops responding.

Overall ClearBox is feature-rich and easy-to-use. Its thorough documentation and help (although needing some updating) and the internal user database make it user-friendly for smaller organizations that might lack RADIUS experience. And its customization and wide database support allow use by larger organizations or service providers as well. Realms and RADIUS clients can even be dynamically chosen using SQL queries, and data for user accounts, authorization, accounting and logging can be stored in external databases as well.

Microsoft Windows Server 2008 R2 NPS

Microsoft's Windows Server platform provides a RADIUS server, an economical option for those already running (or planning to run) a Windows Server. Starting with Windows Server 2008, Microsoft provides the RADIUS service with its Network Policy Server (NPS) role, whereas previously it was provided by the Internet Authentication Service (IAS) role. Like most other Windows Server roles, NPS configuration is GUI-based.

NPS provides different functionality depending on the edition of Windows Server 2008 or 2008 R2. The Web Server edition is the only one that doesn't include the NPS role/feature. The Standard Edition supports a maximum of 50 RADIUS clients (access points) and a maximum of two remote RADIUS server groups. The RADIUS client can be defined by using a fully qualified domain name or an IP address, but groups of RADIUS clients can't be defined by specifying an IP address range. The Enterprise and Datacenter editions allow an unlimited number of RADIUS clients and remote RADIUS server groups, and allow defining RADIUS clients via IP address ranges in addition to a domain name or single IP.

NPS supports the basic common authentication protocols: PEAP, EAP-TLS, PAP, SPAP, CHAP, MD5, MS-CHAP, MS-CHAPv2 and EAP-MD5. Additionally, Microsoft allows plug-ins of other vendors' EAP methods on NPS. RSA's one-time password (OTP) method is one example of this.

For authentication NPS only allows the use of Active Directory for the user account database, in addition to being able to proxy requests to other RADIUS servers for processing. For RADIUS accounting you can write to a text file and/or store in a Microsoft SQL Server database.

We evaluated NPS in Windows Server 2008 R2 on a VMware virtual machine. Before enabling NPS we performed the initial configuration of Windows Server and set up an Active Directory domain. Then we used the documentation from Help and Support within Windows for information on how to configure NPS for 802.1X, which we found complete and thorough, targeted toward administrators. Next we spent about 10 minutes enabling the Certificate Services role and creating a certificate authority (CA). Next we enabled the NPS role and registered it with Active Directory, which was done in less than five minutes.

Then we selected the 802.1X configuration scenario and ran the configuration wizard that helped us add RADIUS clients (access points), select the authentication protocol (PEAP) and choose user groups to apply to the NPS server. The wizard also allowed us to configure traffic controls, which are RADIUS attributes (such as VLAN assignments) you can configure to be sent to the RADIUS clients and applied to authenticated and authorized users.

After configuring our wireless access point we could authenticate via PEAP authentication. Then we looked for advanced settings and functionality supported by NPS. Like the other servers, NPS supports multiple policy configurations. You can create policies with specific conditions of requests (user groups, NAS port type and many other conditions) and requests that match those are given a set of authentication and authorization settings. You can define settings like exact authentication protocols, day and time restrictions and custom reply RADIUS attributes (such as for VLAN assignments).

Unlike the other RADIUS servers we reviewed, NPS includes Microsoft's network access control (NAC) implementation called Network Access Protection (NAP). It's basically an enhanced form of authorization controls, where you can allow or deny access based upon health policies. So for instance, you can ensure users trying to authenticate from NAP-supported computers have a firewall enabled, antivirus on and up to date, and automatic Windows Updates enabled.

For RADIUS server logging and accounting, NPS supports writing to a text file and/or storing in a Microsoft SQL Server database. For each it gives you the ability to specify what you want to log. For SQL logging it gives you the ability to enable text file logging in case of SQL failure. For text file logging you can specify when it should automatically create new logs.

Overall the NPS role of Windows Server 2008 R2 provides adequate AAA services, but lacks some customization and advanced functionality found in other servers like FreeRADIUS and ClearBox. Nevertheless, it's still a great and economical option for small and midsize networks already running a Windows Server with Active Directory.

FreeRADIUS

FreeRADIUS is a free and open source RADIUS server released under the GNU General Public License Version 2 (GPLv2) with commercial support available from Network RADIUS. Designed to run on Unix and other Unix-like systems, like Linux, it's primarily a non-GUI server in which you adjust settings in configuration files and run the server via command line. Thus it's best for administrators with Unix/Linux experience. It can serve the AAA needs of small networks with a few users or even service providers with millions of users.

There isn't any published hardware requirement for FreeRADIUS, but generally any commodity PC can serve up to a few hundred thousand users. It can run on a variety of platforms in many different operating systems, including Linux (CentOS, Debian, Mandriva, Red Hat, SUSE, Ubuntu), Solaris and FreeBSD. Many OSs have FreeRADIUS binaries in their package repositories, making the installation simple, but they might not be updated with the latest release. In these cases you can build the packages yourself with the FreeRADIUS source code but this can be a challenge, especially for those less experienced with Unix/Linux.

Authentication protocols supported by FreeRADIUS include: PEAP, TTLS, EAP-FAST, EAP-TLS, LEAP, PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MS-CHAPv2, EAP-MD5, EAP-GTC, EAP-OTP, EAP-AKA, EAP-GPSK, EAP-PAX, EAP-SAKE, EAP-PSK, EAP-SIM, SecurID and Digest.

FreeRADIUS supports the following databases and data sources: included flat files, Linux accounts (/etc/passwd files), Active Directory and other LDAP directories, SQL and other ODBC compliant data sources, remote RADIUS servers, external shell, Python, Perl scripts, Redis, DBM files, Ruby and Java..

We tested FreeRADIUS in Ubuntu 12.04 LTS on a VMware virtual machine. We installed it via the Ubuntu package, which was FreeRADIUS v2.1.10 instead of the most current v2.2.12. The installation was very simple and only took a few minutes, but can be a very different matter if you must compile from the source code yourself.

Next we followed the documentation on the FreeRADIUS wiki to configure the server, which didn't completely match with our default Ubuntu installation but did put us in the right direction. For instance, it points you to /etc/raddb/ for the configuration files, but ours in Ubuntu was at /etc/freeradius/. The documentation isn't really wrong; file locations differ between the varieties of Unix/Linux distributions. We also noticed some of the documentation is outdated and could use some better organization.

After completing the basic configuration and testing, the wiki wasn't very clear on what to do next to get PEAP authentication working. But we did find help on another site, which is maintained by a FreeRADIUS developer and offers seemingly more up-to-date documentation.

FreeRADIUS includes the ability to dynamically assign configuration to connecting users via many different criteria, similar to the other servers we reviewed, but offers the most flexibility and customization. Additionally, a major feature that sets FreeRADIUS apart from the others is the virtual server support, similar to virtual servers in Web servers (Apache, Nginx).

You can connect multiple virtualized configurations to different IP/port sockets, while all running from one FreeRADIUS process, with the ability to proxy packets between them. This allows for different NAS types (ADSL, Wi-Fi, WiMax, VPN) to be handled by completely separate configurations.

FreeRADIUS includes most features and functionality that we discovered in the other servers, such as domain name stripping from the incoming username, MAC address authentication, concurrent session limiting and failed login lockout protection. And if FreeRADIUS doesn't include a feature or function by default you can most likely implement it via the configuration files, by adding modules, or even by making source code modifications.

Overall, FreeRADIUS is a feature-rich, highly customizable, and flexible server. It's a great and economical choice for the AAA needs of any size network, but is best for use by administrators already experienced with Unix/Linux.

Eric Geier is a freelance tech writer. He's also the founder of NoWiresSecurity, which provides a cloud-based RADIUS service for Wi-Fi security, and On Spot Techs, which provides on-site computer services.

Read more about wide area network in Network World's Wide Area Network section.

This story, "Low-cost RADIUS servers for Wi-Fi security" was originally published by Network World.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies