This article gives an overview of the Remote Authentication Dial In User Service or RADIUS services, which contributes to the use of wireless network security.
What is RADIUS and why would one use it?
In wireless networks to encrypt and to ensure the identification technology used in WPA is divided into two groups:
1) a static key or WPA-PSK, WPA;
2) WPA-Enterprise, which is the access point to configure the static key.
WPA-PSK (or WPA2-PSK) is widespread among home users, because the router and network setup is simple: set a secret password for the access point. Access point can join the customers who have a secret password known to the access point. Client Authentication is the access point of a secret password.
WPA-PSK is the same technology with a number of shadow sides.
First, the security aspect as the secret password is not often change, the potential attacker has time to deal with a complicated password cracking. Another problem relates to the management of the users: if the network has multiple users, and we want to exclude a single user (or give someone temporary access), one must exclude the person to change the access point password. This includes the need to change the password for the access point for all elements of the network clients. Consequently, contrary to a widespread practice, should not businesses, who share their customers with temporary access to a wireless network (for example conference or meeting rooms), use WPA-PSK technology.
The above considerations worth companies (and larger home networks) to use WPA-EAS technology. This technology is not used for client access point to detect the secret password. Instead, the so-called. AAA-principle (acronym for the phrase Authentication, Authorization, Accountability), which requires a data protocol enables a clear sense, access control and traceability of operations.
AAA-RADIUS-principle focus is to use the service. RADIUS server, Internet Service Provider to verify (a) whether the client has a valid certificate, (b) What is a client access rights to the domain, (c) After the session connection to check what information during this session went. So lets get a RADIUS server to manage the enterprise WiFi security policy.
How the RADIUS server works?
WPA-Enterprise architecture is a central RADIUS server user login (username and password or certificate) management. There is a shared key is used, as well as any user can go directly to the RADIUS server side. Instead, the user interacts with the network device (router, VPN server, modem, server, NAS), providing that your login to connect to the network (in the so-called Access-Request). A network device has been pre-configured RADIUS client-server: it exchanges a symmetric key is encrypted with the RADIUS server. This network device and RADIUS server detect each other. Network device and RADIUS server communication is encrypted by the symmetric key. A network device transmits a RADIUS server, the user login.
RADIUS server checks what the user is a member of the domain. Then, the RADIUS server is satisfied that the user’s login information contained in the RADIUS server database: whether a user is available, whether its the password is correct or whether the user certificate is valid.
Login list does not necessarily need to be included in a RADIUS server, but can be located on another server (such as SQL database or domain). In the latter case, the RADIUS server acts as an intermediary.
When a user login allow RADIUS servers to identify users, the RADIUS server sends a network message on the admission (in the “Access-Accept). The latter also includes terms of access control: what services may enable the user to a network device. Then, the network device generates a session key and the user opens the gateway through which a user accesses a network service (s).
RADIUS-remote control (i.e. accounting) about the activities of the works so that the network device to inform the RADIUS server for the session beginning and the end (to be sent so-called accounting package), giving an overview of the session during the service (e.g. the length of the transmitted amount of data, and packages).
How does one use RADIUS server to improve security?
WPA-PSK, the solution is compared to the RADIUS server based WPA-EAS technology, the following advantages:
1) user login is not static. User resigns or is it sufficient to be added to reflect changes in the user list, which includes a RADIUS server. This ensures that the user can access the network as long as the power to do so.
2) user’s passwords are different, and they are usually updated on a regular basis.
3) to restrict user access rights. The user can access only those network services that meet their access rights. The latter can be changed (to narrow, expand. This amendment reflects the user list, which includes a RADIUS server.
4) RADIUS server is not enough to attack a user’s password to break, but must also break the symmetric key, which the RADIUS server detects a network device.
Installing the RADIUS server
* Guidelines for the RADIUS-server installation of Linux machines: # auth http://tldp.org/HOWTO/html_single/8021X-HOWTO/
* RADIUS server, the installation of WS2008 machines: see mackini, JC, Northrup, T., Configuring Windows Server 2008 Network Infrastructure. Self-Paced Training Kit, p. 327-329.
Sources used for article:
* IETF.org PKI tutorial
* Malik, S, Network Security Principles and Practices