Author: Eric Geier
Review Date: 12/24/2008
Add Your Review
Businesses of all sizes are finding it harder and harder to secure their wireless networks. WEP encryption was cracked, and its level of security debunked long ago. The pre-shared key or personal type of WPA encryption is also vulnerable to brute force dictionary attacks that can find the network's passphrase. Businesses searching to protect themselves against potentially devoted Wi-Fi hackers will find they must use the enterprise version of WPA or WPA2, which adds authentication into the mix. However, smaller businesses may be turned off by the idea after reviewing what is needed to implement the enterprise version, a RADIUS server.
If you're from a small business, you shouldn't give up yet; there are RADIUS servers out there targeted toward you. Periodik Labs (formerly Corriente Networks) describes its Elektron RADIUS Server as "the world's easiest to use." One of its slogans is "Wireless Without Worry," and it touts its software product as being the strongest security available for Wi-Fi networks. This review puts Elektron through the ropes, to see just how easy it is to use and how secure it will make your Wi-Fi connections.
General Server Features
We found that Elektron (see Figure 1) has a sever replication feature, which is not always included in other comparable servers. This allows you to easily configure a backup RADIUS server to take over if the primary server goes down. Additionally, Elektron uses the least privilege scheme to better protect the server from intrusion and hacking attempts. The software doesn't run with administrative privileges until it is required. A more common feature that Elektron also includes is remote administration. You can configure the server from other computers on the local network. This is particularly handy if you're running the server headless, without a monitor, keyboard, and mouse.
We did indeed find that Elektron supports all the latest Wi-Fi authentication protocols: PEAP, LEAP, EAP-TLS, EAP-FAST and EAP-TTLS. If you're looking for username and password based authentication in conjunction with the WPA/WPA2 encryption, you'll probably want to use PEAP with MSCHAPv2. Another popular authentication scheme, although more complex to maintain, is PEAP with EAP-TLS. Elektron would then authenticate users based on whether they have the proper digital certificate installed on their computer. Elektron can create and help manage these client certificates, so you can grant and revoke access to your wireless LAN.
In addition to Wi-Fi authentication protocols, Elektron supports basic RADIUS protocols, such as PAP and CHAP. These can be used for authenticating other network devices, like VPN concentrators and firewalls. Elektron isn't limited to just wireless authentication.
Elektron also sports MAC address authentication, which can be used in conjunction with an authentication protocol. Although MAC address filtering can be bypassed, it adds another layer of security. Another authentication feature worth mentioning is account lockout. You can set Elektron to reject any requests during a certain amount of time after he or she has had so many failed attempts.
Backends for User Authentication
One major aspect you should look into when searching for a RADIUS server is the databases and back-end systems it can use to retrieve user credentials. For example, if you administer a domain network with Active Directory, you'll likely want the RADIUS server to be able to consult the accounts already set up in the directory. However, if you have a small system where you don't centrally manage your network, you'd want a server that offers an internal database where you can manually input user credentials or one that can consult with the Windows system accounts. Whatever your need, Electron will likely support it.
As shown in Figure 2, here is the rundown of the authentication backends Elektron supports:
- Elektron Accounts
- ODBC (SQL)
- Windows Accounts
- Mac OS X Directory Services
The acronym AAA, which identifies the three functions RADIUS servers provide, stands for Authentication, Authorization and Accounting. We've already discussed Elektron's authentication abilities. Now it's time to hit on its authorization capabilities, the ways in which the software can regulate the conditions of access to be granted to users.
Part of the authorization function is regulating which RADIUS clients, the access points (APs), users can authenticate through. We found Elektron provides an internal database where you can list the IP address and shared secret of the APs, which is great for easy configuration of smaller networks. However, for larger, more complex environments, Elektron lacks database-driven AP authorization.
Elektron offers another authorization feature, access policies. This allows you, for example, to limit a user's access based on its account group designation, the AP they connect through, or the day and time. Denying a connection request and assigning a user to a VLAN are two of the several actions you can impose when the desired criteria is met. We found these policy triggers (see Figure 3) and actions (see Figure 4) are easily configurable in Elektron.
The last A of a RADIUS server's functions (AAA), is Accounting, where the server can receive and keep track of user activity. Accounting data generally includes information, such as when a user logged on and off, amount of packets and data transferred, and the IP address of the AP he or she connected through.
Elektron provides accounting features; however, we found it could use improvements. Accounting data is only logged to a text file and optionally forwarded to another remote RADIUS server. Other comparable servers let you push the information to a database, so administrators can better scour through the data. In ISP environments, they could use it to find out how much to charge their customers. We were, though, impressed with the event handler piece of Elektron's accounting function. You can set up the server to send an e-mail, syslog, script, or SNMP trap when a certain event happens, such as on successful or failed logins, server status, or password lockout.
Configuring the RADIUS Server
During our testing, we installed and configured the Elektron RADIUS server to authenticate users in the office, enabling us to use WPA/WPA2-Enterprise encryption. We found, in fact, that it was extremely easy to setup, as Periodik Labs promises. We settled on using PEAP with MSCHAPv2, which the following testimonial describes.
Once we installed Elektron, we used the wizard to create a self-signed certificate for the server. Next, we set the default Authentication Domain to the Elektron Accounts option, so we could take advantage of the internal user database. Then we populated the Access Points list with the IP addresses of our APs, plus we gave each a unique shared secret. That wraps up all the required configuration we made on the server side.
Since we didn't use a third-party certificate authority (CA) like VeriSign or GoDaddy, we had to export the self-signed certificate from Elektron and install it on all the computers. The same would be required if we used any other RADIUS server. To our surprise, Elektron provides several options for exporting, including an e-mail function and installers that try to simplify the process.
Then we logged onto the Web-based utility for each of our APs and configured the WPA encryption and 802.1X authentication settings. Once we selected WPA, we could input the IP address of the computer hosting Elektron and the shared secret we created for the particular AP.
Lastly, we configured the computers with the proper WPA encryption and 802.1X authentication settings. Then we brought up our list of available wireless networks and hit connect. Prompted for user credentials by Windows, we entered the username and password of our accounts configured in Elektron. Viola — everything worked, we were connecting to an extremely secure wireless network in a matter of a half an hour.
Our Final Words
In our review, we found that the Elektron 2.0 RADIUS Server was easy to configure and use. With help from the documentation, this allows those without expertise to configure an exceptionally secure Wi-Fi network. Although a few advanced features are lacking, most small or even midsize businesses will be pleased with Elektron.
Remember, you can take Elektron on a test drive with its 30-day fully functional trial. For step-by-step instructions on setting up the server, check out a set of tutorials from one of our sister sites.
Vendor: Periodik Labs
Pros: User-friendly; Built-in user database; Reasonably priced.
Cons: Lacking database support for AP list; Accounting function lacking.
Eric Geier is the Founder and President of Sky-Nets, Ltd., a Wi-Fi Hotspot Network. He is also the author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft Windows Vista (Que 2007).