RADIUS Is The Secure WLAN’s Best Friend
When the topic of high-quality wireless networking comes up, its trendy to bandy about notions of blazing throughput and Star Trek-sounding features like "beam forming" and "band steering." But before a client gets to benefit from the growing magic built into the contemporary wireless network, it probably needs to be scrutinized under the lens of “triple A”: authentication, authorization and accounting. This is where the often unsung hero called RADIUS comes in.
June 16, 2011
When the topic of high-quality wireless networking comes up, its trendy to bandy about notions of blazing throughput and Star Trek-sounding features like "beam forming" and "band steering." But before a client gets to benefit from the growing magic built into the contemporary wireless network, it probably needs to be scrutinized under the lens of “triple A”: authentication, authorization and accounting. This is where the often unsung hero called RADIUS comes in.
RADIUS stands for Remote Authentication Dial In User Service. It has roots in the dial-up ISP heyday, but has matured into an incredibly powerful and mostly standardized framework that enables a range of “triple A” services. On the typical secure WLAN, a good RADIUS implementation is the key to good user experience, minimal help desk calls and peace of mind for the ranking organizational security wonk.
At the building block level, RADIUS is made up of three pieces. The supplicant lives at the client device, and is usually thought of as the “wireless configuration” when we’re talking RADIUS and Wi-Fi. The second important part is the authenticator, which is a function of either the wireless access point or the controller, depending on the WLAN system architecture. The final piece is the authentication server, or the RADIUS server. Combine these in the right configuration, and users are either let on or denied access to the WLAN depending on credential validity, and encryption keys are set up for every session (if not every packet, depending on specifics of Implementation).
I’ve seen countless organizations agonize about how to roll out an 802.1x-secured wireless environment using RADIUS as the cornerstone of enterprise wireless security. Usual pain points? What specific RADIUS server to use and which EAP, or Extensible Authentication Protocol, type (drives complexity, client settings and overall security level) to go with. If you’re new to this part of the wireless game, you’ll need to do some introspection to reach the conclusion that works for you.RADIUS servers can be expensive or open source and can come as appliances or be virtualized. Not all servers support every EAP type. As for EAP type, organizational security policy and client device demographics go a long way toward driving what you go with. For my “half-Windows, half-Mac” wireless environment, I ended up going with Cisco Secure ACS server, and supplicants native to each OS running Protected EAP (PEAP) with MS-CHAPv2, using WPA2/AES for security, but there are handful of other "typical" combinations.
We use an amazing utility from a company called Cloudpath to automatically configure supplicants (this can be thorny), and I’m proud to say that a few years ago my team was able to rapidly roll out a very large, secure wireless network based on RADIUS with minimal pain. Thousands of users on a dizzying range of client devices connect to our secure WLAN daily without a second thought, while other environments trying to do the same are plagued with frustrations.
As we evolve our RADIUS environment (new security certificates, ditching the appliances and taking the application into our ESX environment), I continue to be impressed that we can use information in our Active Directory to steer wireless users to different networks from the same SSID, and can automate as many other nuanced policy enforcements with RADIUS as we can dream up. Yes, sexy new access points are easy to get excited about, and high data rates generate buzz, but RADIUS is just as cool. Think of it as one of the wizards behind the curtain--at your beckoning once you know how to talk to it.
You May Also Like
2024 InformationWeek US IT Salary Report
Aug 15, 20242022 State of ITOps and SecOps
Jun 21, 2022