Low-cost RADIUS servers for Wi-Fi security

Page 2 of 2

Unlike the other RADIUS servers we reviewed, NPS includes Microsoft's network access control (NAC) implementation called Network Access Protection (NAP). It's basically an enhanced form of authorization controls, where you can allow or deny access based upon health policies. So for instance, you can ensure users trying to authenticate from NAP-supported computers have a firewall enabled, antivirus on and up to date, and automatic Windows Updates enabled.

For RADIUS server logging and accounting, NPS supports writing to a text file and/or storing in a Microsoft SQL Server database. For each it gives you the ability to specify what you want to log. For SQL logging it gives you the ability to enable text file logging in case of SQL failure. For text file logging you can specify when it should automatically create new logs.

Overall the NPS role of Windows Server 2008 R2 provides adequate AAA services, but lacks some customization and advanced functionality found in other servers like FreeRADIUS and ClearBox. Nevertheless, it's still a great and economical option for small and midsize networks already running a Windows Server with Active Directory.

FreeRADIUS

FreeRADIUS is a free and open source RADIUS server released under the GNU General Public License Version 2 (GPLv2) with commercial support available from Network RADIUS. Designed to run on Unix and other Unix-like systems, like Linux, it's primarily a non-GUI server in which you adjust settings in configuration files and run the server via command line. Thus it's best for administrators with Unix/Linux experience. It can serve the AAA needs of small networks with a few users or even service providers with millions of users.

There isn't any published hardware requirement for FreeRADIUS, but generally any commodity PC can serve up to a few hundred thousand users. It can run on a variety of platforms in many different operating systems, including Linux (CentOS, Debian, Mandriva, Red Hat, SUSE, Ubuntu), Solaris and FreeBSD. Many OSs have FreeRADIUS binaries in their package repositories, making the installation simple, but they might not be updated with the latest release. In these cases you can build the packages yourself with the FreeRADIUS source code but this can be a challenge, especially for those less experienced with Unix/Linux.

Authentication protocols supported by FreeRADIUS include: PEAP, TTLS, EAP-FAST, EAP-TLS, LEAP, PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MS-CHAPv2, EAP-MD5, EAP-GTC, EAP-OTP, EAP-AKA, EAP-GPSK, EAP-PAX, EAP-SAKE, EAP-PSK, EAP-SIM, SecurID and Digest.

FreeRADIUS supports the following databases and data sources: included flat files, Linux accounts (/etc/passwd files), Active Directory and other LDAP directories, SQL and other ODBC compliant data sources, remote RADIUS servers, external shell, Python, Perl scripts, Redis, DBM files, Ruby and Java..

We tested FreeRADIUS in Ubuntu 12.04 LTS on a VMware virtual machine. We installed it via the Ubuntu package, which was FreeRADIUS v2.1.10 instead of the most current v2.2.12. The installation was very simple and only took a few minutes, but can be a very different matter if you must compile from the source code yourself.

Next we followed the documentation on the FreeRADIUS wiki to configure the server, which didn't completely match with our default Ubuntu installation but did put us in the right direction. For instance, it points you to /etc/raddb/ for the configuration files, but ours in Ubuntu was at /etc/freeradius/. The documentation isn't really wrong; file locations differ between the varieties of Unix/Linux distributions. We also noticed some of the documentation is outdated and could use some better organization.

After completing the basic configuration and testing, the wiki wasn't very clear on what to do next to get PEAP authentication working. But we did find help on another site, which is maintained by a FreeRADIUS developer and offers seemingly more up-to-date documentation.

FreeRADIUS includes the ability to dynamically assign configuration to connecting users via many different criteria, similar to the other servers we reviewed, but offers the most flexibility and customization. Additionally, a major feature that sets FreeRADIUS apart from the others is the virtual server support, similar to virtual servers in Web servers (Apache, Nginx).

You can connect multiple virtualized configurations to different IP/port sockets, while all running from one FreeRADIUS process, with the ability to proxy packets between them. This allows for different NAS types (ADSL, Wi-Fi, WiMax, VPN) to be handled by completely separate configurations.

FreeRADIUS includes most features and functionality that we discovered in the other servers, such as domain name stripping from the incoming username, MAC address authentication, concurrent session limiting and failed login lockout protection. And if FreeRADIUS doesn't include a feature or function by default you can most likely implement it via the configuration files, by adding modules, or even by making source code modifications.

Overall, FreeRADIUS is a feature-rich, highly customizable, and flexible server. It's a great and economical choice for the AAA needs of any size network, but is best for use by administrators already experienced with Unix/Linux.

Eric Geier is a freelance tech writer. He's also the founder of NoWiresSecurity, which provides a cloud-based RADIUS service for Wi-Fi security, and On Spot Techs, which provides on-site computer services.

Read more about wide area network in Network World's Wide Area Network section.

This story, "Low-cost RADIUS servers for Wi-Fi security" was originally published by Network World.

| 1 2 Page 2
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon