What measures are there to help secure a RADIUS server?
For any corporate wireless infrastructure to remain secure, using 802.1X for authentication is a must - after all, it provides much more granular control of authentication credentials and can provide accounting for wireless LAN usage. Setting everything up can be a complex process fraught with choosing the right EAP type that both your clients and your RADIUS server supports in addition to putting in place the PKI infrastructure that some EAP types require. During this whole process one thing can often be overlooked - the security of the RADIUS server itself.
Unfortunately, this is a very important aspect of any secure WLAN deployment since the RADIUS server is the key to the whole operation. The RADIUS server (and its data store or authentication backend) is what controls access to the network and additionally supplies the keys used by the AP and wireless client to encrypt a given station's traffic.
The first place to start is to secure the system being used for the RADIUS server. There are various techniques to use for this, but at the most basic level you should dedicate a single server to the task. This limits the exposure of the RADIUS server and insures that vulnerabilities in other services running on the system do not lead to the RADIUS server being compromised. Accounts that are allowed to login to the server should be limited too.
The next thing to be done is to limit what can communicate with your RADIUS server. In order to operate, the RADIUS server needs to be able to communicate with your authentication backend (e.g., an LDAP or SQL server) and each of your Network Access Servers (NAS), which in the case of a wireless network are your APs. So with this in mind, firewall rules should be put in place to enforce this requirement and ensure that no other systems can communicate with your RADIUS server, save systems on your management LAN.
Additionally you'll want to protect the communications between your RADIUS server, authentication backend, and APs with encryption. For the connection between your RADIUS server and authentication backend this will likely mean either SSL or IPsec. For instance if you're using an LDAP directory to store authentication information, you can easily use SSL to encrypt traffic to and from it. If you're using a backend that isn't so easily amenable to using SSL then you can use IPsec (ESP w/3DES or AES ciphers). Similarly, you should encrypt communications between your APs with IPsec as well.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (4)
Re: Securing a RADIUS serverBy Anonymous on May 10, 2007, 2:42 pm"For instance if you're using an LDAP directory to store authentication information, you can easily use SSL to encrypt traffic to and from it." Really... I would...
Reply | Read entire comment
OpenLDAP + FreeRADIUS + SSL/TLSBy alockhart on June 7, 2007, 4:34 pmIf you already have a working OpenLDAP and FreeRADIUS setup, but are not using SSL/TLS you can try out using stunnel on both sides of the connection: http://www.stunnel.org/examples/generic_tunnel.html It's...
Reply | Read entire comment
OpenLDAP + FreeRADIUS + SSL/TLSBy theSnail on July 25, 2007, 9:44 amYes, this solution can greatly improve wireless network security, but if you implement something different from Eap/tls with mutual authentification with previous...
Reply | Read entire comment
great for lookingBy Anonymous on October 5, 2008, 3:49 amhello buddy now i am doing big project about wireless network i wana to know about radius server and also security about wireless network if some buddy have ebook...
Reply | Read entire comment
View all comments