Need a Remote Authentication Dial-In User Service (RADIUS) server for your authentication, authorization and accounting (AAA) needs? You can spend thousands on RADIUS solutions, but there are also a number of lower-cost alternatives.
These solutions are especially useful for smaller organizations that may only be using it for a single purpose, such as to implement enterprise Wi-Fi security with 802.1X authentication. Many, however, can also be used for other AAA purposes.
If you’re running a Windows Server, keep in mind you already have RADIUS capability. Before using a third-party server, look into the Internet Authentication Service (IAS) component in Windows Server 2003 R2 and earlier or the Network Policy Server (NPS) component in Windows Server 2008 and later.
For those without a Windows Server, or those whom require more functionality and customization, consider these solutions:
This free and open source software is one of the most popular RADIUS servers in the world. FreeRADIUScan be setup on an old desktop tower to serve anywhere from a dozen to a few hundred users, or it can be installed on appropriate servers to support up to millions of users and requests. FreeRADIUS is designed for running on Unix, Linux and other Unix-like operating systems. You can find it in the repositories of most Linux distributions installed easily or manually compiled on most others. By default, FreeRADIUS has a command-line interface, and setting changes are made via editing configuration files best suitable for IT professionals with Unix/Linux experience. The configuration is highly customizable, and because it’s open source you can even make code changes to the software.
FreeRADIUS.netis a free Windows distribution of FreeRADIUS, designed to work on Windows XP. It may also work on other versions of Windows. It’s offered via a Windows installer, but it is based on the old FreeRADIUS version 1.1.7. You can also manually build your own binaries, but you may be limited to the 2.0 version. Due to these version limitations, and given that it doesn’t run on its native platform, FreeRADIUS.net isn’t suitable for critical networks. But it’s great for RADIUS newbies who want to experiment and aren’t familiar with Unix or Linux.
TekRADIUSruns on Windows and offers a GUI. The basic features are offered for free; additional versions can be purchased. The TekRADIUS Enterprise version ($149) adds support for EAP-TLS, dynamic self-signed certificate creation for PEAP sessions, NTLM authentication for MS-CHAP authentication methods and regular expression based attribute matching. Then the TekRADIUS SP version ($449) gives you VoIP billing in addition to the enterprise features.
4. Access Points
If you’re looking for a RADIUS solution just for 802.1X authentication so you can implement enterprise Wi-Fi security, keep in mind some Access Points (APs) have an embedded RADIUS server. For example, the HP ProCurve 530. Additionally, ZyXEL offers built-in RADIUS on a couple different business-class APs, such as the NWA-3500, NWA3166 or NWA3160-N. These are priced over $230 and are great for those who don’t want to setup and maintain their own server. One of these could serve as the authentication server for all the other APs, and they don’t even have to of the same model or brand.
RouterOS is the operating system (OS) MikroTik uses for its RouterBOARD products, which it offers for free (limited functionality) and all features for a nominal fee ($45+). It includes an embedded RADIUS server. Since it offers all the main router functions (e.g., NAT firewall, VPN server and hotspot gateway) it could even be used as the main network router. The OS is downloadable as an ISO image that you can burn on a CD and boot from to install it. A Windows utility is also offered to write RouterOS to a secondary drive that’s been attached and the drive can be moved to the dedicated PC or server. Configuration changes can be made via a few methods, including command-line, web browser, and RouterOS’ Windows WinBox utility.
ZeroShell is another router OS, but it is open source and completely free. It also includes a built-in RADIUS server among the usual router functionalities: NAT firewall, VPN, and so on. ZeroShell is offered as a live CD, so it doesn’t have to be installed and requires only a small drive to save the configuration. However, this project isn’t as popular as others and is still in beta. Thus, it isn’t the best choice for critical networks.
AuthenticateMyWiFiis a cloud-based service priced starting at $13/month. It offers hosted server access specifically for 802.1X authentication. It enables small and midsize organizations to easily use the enterprise mode of WPA or WPA2 security for their Wi-Fi network. Since there’s no server to set up, it’s great for organizations without an IT staff. Since AuthenticateMyWiFi is cloud-based, it also makes securing Wi-Fi networks at multiple offices easy.
Although ClearBox is available only as as commercial offering, a 30-day evaluation is provided, and the $599 price after that is relatively low compared to other solutions and. ClearBox runs on Windows and is configured through a no-thrills GUI. It offers a configuration wizard to ease setup while at the same time, it is highly flexible and customizable. ClearBox supports integration with several billing systems as well.
Elektron is another commercial RADIUS server. It is priced at $750 after the 30-day evaluation. Elektron is marketed mostly toward providing 802.1X authentication for enterprise Wi-Fi security, but it can also be used for other AAA needs. Elektron runs on Windows and provides a GUI that’s a bit more fresh and inviting than others. Although it should still be setup and maintained by an IT professional, the server and documentation is designed more for newbies than other solutions are. Although Elektron is flexible, it doesn’t offer as much customization as some other solutions do.