Getting ready to deploy a RADIUS server so you can utilize 802.1X authentication for enterprise Wi-Fi security? There are a few tips you should consider before moving forward.
Check your existing servers for RADIUS functionality
Before purchasing or setting up a server specifically for RADIUS, ensure you don’t already have the functionality in any existing server. If you have a Windows Server, for instance, you can use the Internet Authentication Service (IAS) component in Windows Server 2003 R2 and earlier, or the Network Policy Server (NPS) component in Windows Server 2008 and later.
Other network components can also have a built-in RADIUS server, such as network-attached storage (NAS) servers and even in some wireless access points.
Consider other server alternatives
For large networks with hundreds of Wi-Fi users, an on-premises server dedicated for RADIUS is likely the best option. But before purchasing a server, consider using the free and open source FreeRADIUS.
For small and medium-sized networks, there are other alternatives you should investigate that could save you significant time and money. There are cloud-hosted RADIUS solutions that don’t require you to set up a server at all — so no time needed to spend on installation, configuration or maintenance. As briefly mentioned, there are also some network-attached storage (NAS) servers and wireless access points that have a built-in RADIUS server. However, these solutions are generally best suited for very small networks due to the lack of computing resources dedicated for the server.
If a traditional on-premises server is desired, again first determine if the free and open source FreeRADIUS server might work. However, it’s best to have some Linux and command-line experience when working with FreeRADIUS. If you want more of an out-of-the-box GUI solution, consider one of lower-cost server solutions, such as TekRADIUS or ClearBox.
Choose a EAP type
As you might be aware, there are multiple ways you can deploy 802.1X authentication, based upon which EAP type you choose. The two most popular EAP types are PEAP and TLS. PEAP is easier to set up and use, and it enables Wi-Fi users to log in with usernames and passwords. Pretty much all operating systems these days make it quick and simple to log in via PEAP, so you’ll likely just have to inform users of their credentials and they’ll be able to log in.
TLS is a more complex solution, but it does offer better overall security. You’ll need to give each Wi-Fi user a digital certificate or SmartCard, which must be installed on the devices before they can connect to the Wi-Fi. Since you must give each user a unique certificate file or SmartCard, the process takes considerably more time and effort from everyone.
Check out previous articles
We have previously discussed additional tips you can utilize when implementing a RADIUS server for Wi-Fi security. You may find some of these previous articles useful: 4 Mistakes to Avoid When Deploying a RADIUS Server, Troubleshooting RADIUS Server or Client Issues, Enabling Server Validation for Windows and Android 802.1X Clients, and 5 Free RADIUS Testing and Monitoring Tools.
Eric Geier is a freelance tech writer — keep up with his writings on Facebook. He’s also the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, an on-site RF site surveying and other computer services company.