When the topic of high-quality wireless networking comes up, its trendy to bandy about notions of blazing throughput and Star Trek-sounding features like "beam forming" and "band steering." But before a client gets to benefit from the growing magic built into the contemporary wireless network, it probably needs to be scrutinized under the lens of “triple A”: authentication, authorization and accounting. This is where the often unsung hero called RADIUS comes in.
RADIUS stands for Remote Authentication Dial In User Service. It has roots in the dial-up ISP heyday, but has matured into an incredibly powerful and mostly standardized framework that enables a range of “triple A” services. On the typical secure WLAN, a good RADIUS implementation is the key to good user experience, minimal help desk calls and peace of mind for the ranking organizational security wonk.
At the building block level, RADIUS is made up of three pieces. The supplicant lives at the client device, and is usually thought of as the “wireless configuration” when we’re talking RADIUS and Wi-Fi. The second important part is the authenticator, which is a function of either the wireless access point or the controller, depending on the WLAN system architecture. The final piece is the authentication server, or the RADIUS server. Combine these in the right configuration, and users are either let on or denied access to the WLAN depending on credential validity, and encryption keys are set up for every session (if not every packet, depending on specifics of Implementation).
I’ve seen countless organizations agonize about how to roll out an 802.1x-secured wireless environment using RADIUS as the cornerstone of enterprise wireless security. Usual pain points? What specific RADIUS server to use and which EAP, or Extensible Authentication Protocol, type (drives complexity, client settings and overall security level) to go with. If you’re new to this part of the wireless game, you’ll need to do some introspection to reach the conclusion that works for you.