Low-cost RADIUS servers for Wi-Fi security

Remote Authentication Dial-In User Service (RADIUS) servers are common in enterprise networks to offer centralized authentication, authorization and accounting (AAA) for access control. But RADIUS servers can also be useful in small and midsize networks to enable 802.1X authentication and WPA2 (802.11i) security for Wi-Fi nets.

We tested four RADIUS servers that smaller businesses might consider: Elektron, ClearBox, Microsoft's Network Policy Server from Windows Server 2008 R2, and FreeRADIUS.

We measured ease of installation and configuration, quality of the documentation and the ability to customize configurations. All of the vendors scored well, with ClearBox on top and Elektron a close second, and FreeRADIUS and Windows Server NPS tying for third.

Elektron ($750) is a good entry-level and user-friendly server. ClearBox ($599) is a great choice for small networks, but it also scales to larger networks. Microsoft Windows Server 2008 R2 NPS is likely a given for organizations already running a Windows Server, as long as they don't need all the advanced features and database support. And FreeRADIUS (open source) is a solid and economical choice for Unix/Linux admins offering the most customization and flexibility.

Here are the individual reviews:

Elektron

The Elektron RADIUS server from Periodik Labs is a Windows GUI-based server that's targeted toward wireless authentication for small and midsize networks, but supports other AAA purposes as well. It's offered as a 30-day free trial and then costs $750 for a single server license.

Elektron can run on Windows XP Pro, Vista, Windows 7 and Windows Server 2003 and 2008. There's also a Mac OS X edition that runs on 10.5 or later or with an Intel Core Duo or better processor. Both require at least 512MB of memory and 20MB of free disk space.

Elektron supports the following authentication methods: PEAP, TTLS, EAP-FAST, EAP-TLS, LEAP, PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MS-CHAPv2, EAP-MD5, EAP-GTC, and EAP-OTP. It also supports the following databases for the user account data: Internal database (configurable via the GUI called Elektron Accounts), Windows accounts, Mac OS X Directory Services, Active Directory and other LDAP directories, SQL and other ODBC compliant data sources, Remote RADIUS servers and Script.

We tested Elektron Version 2.2 in Windows Server 2008 R2 on a VMware virtual machine. The installation was very simple and only took about a minute. It uses a typical Windows installer and didn't prompt us for any server-related settings.

Immediately after the installation we found a Setup Wizard to help configure Elektron for wireless authentication. It prompted us to create a password (shared secret) for a wireless access point (RADIUS client) and helped configure/create a server certificate. The wizard was helpful, but could be improved by allowing you to enter passwords for individual access points rather than creating a catch-all entry for any access point, which is a less secure method.

After using the Setup Wizard we were left in the dark as to our next step. Since we're experienced with the RADIUS process, we knew we had to configure the Authentication Provider (we used the internal database) and input user account info (we created a user on the Elektron Accounts page). But those not familiar with RADIUS might be confused because the wizard doesn't cover this and the Getting Started section in the documentation skips it as well. Nevertheless, after configuring our wireless access point with WPA2-Enterprise we were able to authenticate via Protected Extensible Authentication Protocol (PEAP).

While reviewing the Authentication settings we found we could add multiple Authentication Providers and dynamically assign users to them based upon their Domain or Access Point Group, with support for stripping the domain from the incoming username. We also found supports for MAC address authentication, which, while not the most secure method, can be used to authenticate devices that don't support 802.1X security or other protocols supported by Elektron. Another notable feature is the ability to block logins after multiple failed password attempts.

Authentication settings in Elektron

In the Authorization settings, we could create custom polices. We could deny connections, assign users to virtual LANs, append custom RADIUS response attributes or execute a script based upon various triggers: login time, username, user group, access point group, media access control address group or the result of a script. These provide the authorization functionality SMB networks usually require, but don't provide the full customization ability larger or service provider networks might require.

In the Accounting section we found basic access and error logs, viewable only in the GUI and not able to be sent to a database. We were impressed with the Event Handler feature that allows you to easily enable notifications on events like logins, failed logins, password lockouts and errors.

In the main server settings Elektron supports remote administration so you can manage the server from other PCs, and server replication in case you want to set up a backup server.

Overall, Elektron is a solid, attractive, and user-friendly server. Though the Getting Started section in the documentation could be improved, generally it was informative and useful, and should be understandable by those less experienced with RADIUS. Elektron is a great option for small and midsize networks.

ClearBox Enterprise RADIUS Server

ClearBox Enterprise RADIUS Server from XPerience Technologies is a Windows-based RADIUS server that can serve the AAA needs of small businesses or even large networks with millions of users, according to the company. Like the Elektron RADIUS server, ClearBox is a GUI-based program. The company offers a 30-day free trial and then charges $599 for a single server license.

ClearBox can run on any Windows platform from Windows 2000 up to Windows 7 and Windows Server 2008 R2. It requires only a Pentium II or higher processor, 256MB or more of memory, and at least 16.6MB of free disk space for the full install.

ClearBox supports the following authentication methods: PEAP, EAP-TLS, PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-MS-CHAPv2, EAP-MD5, SIP and ARAP. ClearBox allows the use of concurrent data sources and supports: Internal database (configurable via the GUI called Users Manager), Windows accounts, Active Directory and other LDAP directories, SQL and other ODBC and OLE DB compliant data sources, and Remote RADIUS servers.

We tested using ClearBox Version 5.7, released in March, in Windows Server 2008 R2 on a VMware virtual machine. The installation was simple and took less than two minutes. It uses a typical Windows installer and only prompts you for three server-related settings: the mode (Normal or Debug), the Control Centre password and whether you want to enable wireless authentication.

After finishing the install, the ClearBox Manual is by default set to automatically appear. We found the documentation to be thorough, but quickly noticed some slight inconsistencies. For example, some button names mentioned differ from what is on the GUI and the instructions for testing the server after setup were incomplete. Nevertheless, we were able to quickly configure ClearBox for PEAP wireless authentication, including creating a server certificate via the Certificates Wizard.

We also tried out the Configuration Wizard that helps those less-experienced in RADIUS understand and set the basic settings: adding RADIUS Clients and selecting a user database. We found this wizard informative and easy-to-use.

After configuring our wireless access point with WPA2-Enterprise and successfully authenticating via PEAP, we poked around the advanced ClearBox settings. We found it supported multiple realms, so incoming requests can be handled via a different set of authentication, authorization and accounting settings based upon the username, client IP, RADIUS attributes, Windows group membership or custom SQL result. Additionally, it supported username rewriting in case you require processing requests without a domain name.

Authorization settings can always be manually created in the Black, Check, Response and Reject-Response lists using any RADIUS attributes and values. But authorization settings are also configurable via the Users Manager, if you're using the ClearBox internal user database, which include settings to enforce login hours, set time credits, set per-user concurrent session limits and restrict logins to a specific client using its MAC address.

In the Accounting settings, we could log accounting details to the internal database, an external database or a file. Interestingly, it also included the ability to cache accounting data if the database is unavailable. Though not indicated in the GUI, ClearBox also supports third-party billing systems, including DTH Billing and Customer Management, Advanced ISP Billing and Platypus Billing System.

Other logging features include a Server Statistics page to view a rundown of packet types sent and received, an Online Logging page to view real-time activity and text-file logging of server errors and RADIUS packets.

In the main Server Settings, ClearBox supports remote administration, server replication in case you want to set up a backup server, advanced RADIUS settings and advanced logging settings. And another notable feature is the ability to enable monitoring and alerting that can automatically restart the server and send an email alert if ClearBox stops responding.

Overall ClearBox is feature-rich and easy-to-use. Its thorough documentation and help (although needing some updating) and the internal user database make it user-friendly for smaller organizations that might lack RADIUS experience. And its customization and wide database support allow use by larger organizations or service providers as well. Realms and RADIUS clients can even be dynamically chosen using SQL queries, and data for user accounts, authorization, accounting and logging can be stored in external databases as well.

Microsoft Windows Server 2008 R2 NPS

Microsoft's Windows Server platform provides a RADIUS server, an economical option for those already running (or planning to run) a Windows Server. Starting with Windows Server 2008, Microsoft provides the RADIUS service with its Network Policy Server (NPS) role, whereas previously it was provided by the Internet Authentication Service (IAS) role. Like most other Windows Server roles, NPS configuration is GUI-based.

NPS provides different functionality depending on the edition of Windows Server 2008 or 2008 R2. The Web Server edition is the only one that doesn't include the NPS role/feature. The Standard Edition supports a maximum of 50 RADIUS clients (access points) and a maximum of two remote RADIUS server groups. The RADIUS client can be defined by using a fully qualified domain name or an IP address, but groups of RADIUS clients can't be defined by specifying an IP address range. The Enterprise and Datacenter editions allow an unlimited number of RADIUS clients and remote RADIUS server groups, and allow defining RADIUS clients via IP address ranges in addition to a domain name or single IP.

NPS supports the basic common authentication protocols: PEAP, EAP-TLS, PAP, SPAP, CHAP, MD5, MS-CHAP, MS-CHAPv2 and EAP-MD5. Additionally, Microsoft allows plug-ins of other vendors' EAP methods on NPS. RSA's one-time password (OTP) method is one example of this.

For authentication NPS only allows the use of Active Directory for the user account database, in addition to being able to proxy requests to other RADIUS servers for processing. For RADIUS accounting you can write to a text file and/or store in a Microsoft SQL Server database.

We evaluated NPS in Windows Server 2008 R2 on a VMware virtual machine. Before enabling NPS we performed the initial configuration of Windows Server and set up an Active Directory domain. Then we used the documentation from Help and Support within Windows for information on how to configure NPS for 802.1X, which we found complete and thorough, targeted toward administrators. Next we spent about 10 minutes enabling the Certificate Services role and creating a certificate authority (CA). Next we enabled the NPS role and registered it with Active Directory, which was done in less than five minutes.

Then we selected the 802.1X configuration scenario and ran the configuration wizard that helped us add RADIUS clients (access points), select the authentication protocol (PEAP) and choose user groups to apply to the NPS server. The wizard also allowed us to configure traffic controls, which are RADIUS attributes (such as VLAN assignments) you can configure to be sent to the RADIUS clients and applied to authenticated and authorized users.

After configuring our wireless access point we could authenticate via PEAP authentication. Then we looked for advanced settings and functionality supported by NPS. Like the other servers, NPS supports multiple policy configurations. You can create policies with specific conditions of requests (user groups, NAS port type and many other conditions) and requests that match those are given a set of authentication and authorization settings. You can define settings like exact authentication protocols, day and time restrictions and custom reply RADIUS attributes (such as for VLAN assignments).