What are some easy solutions for implementing 802.1X based authentication on a SOHO wireless network?

For those involved in deploying wireless networks in enterprise settings, using 802.1X for authentication is most likely old hat. However, smaller operations that have not made a significant investment in wireless infrastructure or taken the time to investigate the matter may not realize that they already possess all the needed tools to migrate to a WPA-Enterprise deployment.

An 802.1X wireless network consists of three components, the RADIUS server, Network Access Servers (your APs), and any client devices. Many consumer grade APs now support 802.1X and are easily configurable - just tell it which RADIUS server to connect to and the shared secret used to protect traffic between it and your AP. Additionally most operating systems in common use (Windows XP, Mac OS X, and Linux) easily support 802.1X for wireless authentication. So far these requirements should be easily satisfied.

The biggest piece of the puzzle is the RADIUS server. Here there are several options for fulfilling this role. For instance if you're utilizing a Windows domain you can deploy Certificate Services and Internet Authentication Service, which is Microsoft's RADIUS server. However, if you're not using a Windows domain, the choices are less clear. If you have extra hardware lying around or a system to run VMware on, you can setup a Linux system and use FreeRADIUS, an excellent OpenSource RADIUS server.

For most SOHO setups all of this may be more trouble than it's worth since the time spent in deploying the solution may not be worth the benefits of a more granular authentication system. With only a few users and client devices it may be simpler to use WPA-PSK (or WPA2-PSK), with a strong key, and change it whenever access for a particular user needs to be revoked.

If you're determined to go down the 802.1X path there are still some other options that require minimal to no investment in additional hardware. For instance if you have an AP that is compatible you can re-flash its firmware with OpenWRT (http://openwrt.org), a Linux distribution that supports many common APs. This will allow you to install FreeRADIUS on the AP itself, removing the need for a separate system. Still this can be a daunting task.