Add a RADIUS Server to Your SMB's Network
By Eric Geir
RADIUS servers support the authentication of millions of users to ISPs and networks every day. Small and medium sized businesses might also require RADIUS /AAA for wireless 802.1X security or VPN connections. Here we'll review three different servers smaller organizations might consider.
Elektron RADIUS Server
Periodik Labs offers a RADIUS server for both Windows and Mac OS X, starting at $750.00. It can run on the legacy and latest operating systems: Windows 2000 to Windows 7/Server 2008 R2 and Mac OS X 10.3.9 to 10.6. It requires 20 MB of disk space and 128 MB of RAM.
The Elektron RADIUS Server supports many databases for storing and retrieving the user account information:
However, there isn't database support for the RADIUS client (access point) list. You must enter the IP addresses and shared secrets of the RADIUS clients on their built-in list.
The Elektron RADIUS Server features access policies, to help you further control access. For example, you could specify the AP users connect through, limit connections based on day and time, and assign users to VLANs .
Elektron has a sever replication feature, which is not always included in comparable servers. This keeps a backup server configured in case the primary server goes down. However, you must purchase a second server license.
The server supports accounting to log connection details, however, the data is only logged to a text file and optionally forwarded to another remote RADIUS server. The event handler feature, however, is very useful. It can alert with via e-mail, syslog, script, or SNMP trap when a select event occurs, such as failed logins, password lockout, or server status.
Elektron features a useful wizard to create a self-signed CA certificate for the server. It also helps you export the CA certificate to the computers via e-mail and installers. However, Elektron doesn't help create user certificates, such as when using EAP-TLS.
ClearBox Enterprise RADIUS Server
XPerience Technologies offers a RADIUS server for the Windows platform, starting at $599. It supports Windows 2000 to Windows Vista/Server 2008. It requires 8 MB of free disk space and at least 256 MB of RAM.
It supports the most popular EAP implementations for 802.1X: PEAP, EAP-TLS, and EAP-TTLS. It doesn't support LEAP or EAP-FAST; however, these are now older unsecure protocols. But it supports a couple other non-wireless authentication protocols: ASCII, PAP, CHAP, MS-CHAP/MS-CHAPv2, ARAP, and SIP-Digest.
The ClearBox Enterprise RADIUS Server also supports many databases for storing and retrieving the user account information:
Like Elektron, ClearBox also has a built-in database for listing the RADIUS client (access point) details. Plus it even has a dynamic client feature where it can query a database, unlike Elektron.
ClearBox supports authorization features to better control access. When using the internal User Manager, you can limit access by login hours, expiration date, time credit, MAC address, and more. When using a different user database, you'd have to manually define attributes.
ClearBox includes a load balancing and fail-over feature. However, unlike Elektron, there isn't replication support.
ClearBox offers several ways to output accounting data. It can log packets to the internal or an external database, file, for proxy-forward to a remote RADIUS server. It also supports Syslog and other advanced logging.
Like Elektron, ClearBox includes a wizard to create a self-signed CA certificate for the server. It doesn't help distribute the certificate, but it can create and management user certificates for EAP-TLS. Plus it can create a request for certificate signing from a third-party CA, like Verisign or GoDaddy.
TekRADIUS is a RADIUS server for the Windows platform. The Freeware version can be used for both commercial and personal use. The Enterprise edition runs for $149, and gives you EAP-TLS support.
TekRADIUS has been tested on Windows XP, Windows 2003 Server, and Windows Vista. At least a Pentium IV class CPU and 1 GB of RAM is recommended. The Microsoft .NET Framework 4.0 Client Profile must be installed. When running the Microsoft SQL Server Edition, it also requires Microsoft SQL Server. Alternatively, there is the SQLite Edition.
It supports the following wireless authentication protocols: PEAP, EAP-TLS (Enterprise edition only), and EAP-MD5. It also supports the following general protocols: PAP, CHAP, MS-CHAP/MS-CHAPv2, and SIP-Digest.
User accounts can be created and modified in the server manager or via a command line utility. They are stored by the MS SQL Server or SQLite database. It also supports authentication with Windows Domains or Active Directory.
RADIUS client (or access point) details can be entered via the GUI, which is stored in the MS SQL or SQLite database.
Unlike the two previous servers, you must manually setup attributes to implement access policies such login times and expiration dates.
TekRADIUS logs accounting data in the MS SQL or SQLite database. The Reporting tab on the server manager can display the data with the ability limit to a date range, user, or group.
Like Elektron and ClearBox, TekRADIUS offers a wizard (TekCERT) to create a self-signed CA certificate for the server. Like ClearBox, it also helps create client-side certificates for EAP-TLS. But it doesn't offer any deployment or third-party request features.
There are more options
We reviewed three different RADIUS servers. Elektron seems to be the most user-friendly, ClearBox the most advanced, and TekRADIUS the most economical.
Remember, if you run a Domain network with Active Directory on a Windows Server, you already have RADIUS capability. Check out the Internet Authentication Service (IAS), or Network Policy Server (NPS) for 2008 and later.
If running your own RADIUS server is to cost or time consuming for your organization, consider outsourced services, like those listed at this article on 18 free or no-cost solutions for your network .
Eric Geier founded NoWiresSecurity, which helps small businesses quickly and easily protect their Wi-Fi with enterprise-level security. He's also a freelance tech writer and author of many networking and computing books, for brands like For Dummies and Cisco Press.
For more help, check out the PracticallyNetworked Forums.
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|