RADIUS Is The Secure WLAN’s Best Friend
Lee H. Badman
June 16, 2011
RADIUS servers can be expensive or open source and can come as appliances or be virtualized. Not all servers support every EAP type. As for EAP type, organizational security policy and client device demographics go a long way toward driving what you go with. For my “half-Windows, half-Mac” wireless environment, I ended up going with Cisco Secure ACS server, and supplicants native to each OS running Protected EAP (PEAP) with MS-CHAPv2, using WPA2/AES for security, but there are handful of other "typical" combinations.
We use an amazing utility from a company called Cloudpath to automatically configure supplicants (this can be thorny), and I’m proud to say that a few years ago my team was able to rapidly roll out a very large, secure wireless network based on RADIUS with minimal pain. Thousands of users on a dizzying range of client devices connect to our secure WLAN daily without a second thought, while other environments trying to do the same are plagued with frustrations.
As we evolve our RADIUS environment (new security certificates, ditching the appliances and taking the application into our ESX environment), I continue to be impressed that we can use information in our Active Directory to steer wireless users to different networks from the same SSID, and can automate as many other nuanced policy enforcements with RADIUS as we can dream up. Yes, sexy new access points are easy to get excited about, and high data rates generate buzz, but RADIUS is just as cool. Think of it as one of the wizards behind the curtain--at your beckoning once you know how to talk to it.