Low-cost RADIUS servers for Wi-Fi security

By , Network World |  Mobile & Wireless, wifi, wireless security

We tested Elektron Version 2.2 in Windows Server 2008 R2 on a VMware virtual machine. The installation was very simple and only took about a minute. It uses a typical Windows installer and didn't prompt us for any server-related settings.

Immediately after the installation we found a Setup Wizard to help configure Elektron for wireless authentication. It prompted us to create a password (shared secret) for a wireless access point (RADIUS client) and helped configure/create a server certificate. The wizard was helpful, but could be improved by allowing you to enter passwords for individual access points rather than creating a catch-all entry for any access point, which is a less secure method.

After using the Setup Wizard we were left in the dark as to our next step. Since we're experienced with the RADIUS process, we knew we had to configure the Authentication Provider (we used the internal database) and input user account info (we created a user on the Elektron Accounts page). But those not familiar with RADIUS might be confused because the wizard doesn't cover this and the Getting Started section in the documentation skips it as well. Nevertheless, after configuring our wireless access point with WPA2-Enterprise we were able to authenticate via Protected Extensible Authentication Protocol (PEAP).

While reviewing the Authentication settings we found we could add multiple Authentication Providers and dynamically assign users to them based upon their Domain or Access Point Group, with support for stripping the domain from the incoming username. We also found supports for MAC address authentication, which, while not the most secure method, can be used to authenticate devices that don't support 802.1X security or other protocols supported by Elektron. Another notable feature is the ability to block logins after multiple failed password attempts.

Authentication settings in Elektron

In the Authorization settings, we could create custom polices. We could deny connections, assign users to virtual LANs, append custom RADIUS response attributes or execute a script based upon various triggers: login time, username, user group, access point group, media access control address group or the result of a script. These provide the authorization functionality SMB networks usually require, but don't provide the full customization ability larger or service provider networks might require.

In the Accounting section we found basic access and error logs, viewable only in the GUI and not able to be sent to a database. We were impressed with the Event Handler feature that allows you to easily enable notifications on events like logins, failed logins, password lockouts and errors.


Originally published on Network World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness