WPA-Enterprise for Small Businesses (Part 2)

By Eric Geier | Posted August 12, 2008

In the first installment of this tutorial series, you discovered that WPA-Enterprise encryption is the way to go if you desire a bulletproof Wi-Fi network. You also found out a few ways you can go about setting up this encryption method for your small or home office network. This tutorial will continue by introducing you to the basics of an 802.1x RADIUS server environment and the steps to setting it all up. You’ll soon be on the road to running your very own server for WPA-Enterprise encryption.

Interworkings of an 802.1x RADIUS Server Setup

For the most part, 802.1x RADIUS servers are set up and work in a similar manner to one another. The RADIUS server software acts as the gateway to the network; users must pass it before they’re allowed access to the network and the Internet. It receives requests that originate from users and sends back messages to approve or deny users to connect to the wireless network.

This request may contain, for example, a user name and password, which the RADIUS server checks against a user database (Active Directory, SQL database, MS Access, server’s built-in database, etc.). The messages to and from the users and the RADIUS server go through a coordinator or middleman, called a network access server (NAS) or RADIUS client, such as your wireless router or APs.

Figure 1 shows a simplistic example of these components and the process of authenticating a user onto a wireless network.

Figure 1
Figure 1. The authentication standard represented here and explained in this section is called Protected Extensible Authentication Protocol (PEAP).
(Click for larger image)
.

Another component you should be familiar with in this type of environment is a digital certificate. When you set up a RADIUS server, you install a digital certificate (a small file that serves as a computer’s ID) on the server.

During the authentication process, the user computer validates whether the RADIUS server is trustworthy. The computer does this by running the digital certificate installed on the server through a Certificate Authority (CA) that vouches for the server’s identity.

A digital certificate is comparable to a signed letter stating a person’s identity, a CA is similar to a public notary, and the CA’s official verification of the computer’s identity being the equivalent as an affidavit.

For most small business and home deployments, using a third-party CA is not cost-effective. In these instances, the same digital certificate that’s installed on the RADIUS server must also be installed on the user computers. For easier configuration of computers on larger networks, a certificate designed for WLAN authentication and signed by a trusted authority (such as Verisign) can be purchased.

Instead of manually installing a self-signed certificate on all your computers, the computers would validate the server’s identity using a real CA that’s by default trusted by Window



Page 1 of 2

 
1 2
Next Page

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date