Getting a RADIUS Server
As mentioned, to use the Enterprise mode of WPA or WPA2 you need a RADIUS server, which is required for the 802.1X/EAP authentication. If your company has an IT staff, you could consider using a traditional RADIUS server. If you already have a Windows Server you can use the included Internet Authentication Service (IAS) of Windows Server 2003 and earlier or the Network Policy Server (NPS) of Windows Server 2008 and later.
And if you don’t have a Windows Server, you could use the popular free and open source FreeRADIUS server, primarily designed for running on Linux, Mac, and Unix-based computers and servers. But if you're not a Linux/Mac/Unix fan, you could use the freeware TekRADIUS server in Windows, or purchase a commercial server like Elektron or ClearBox.
If you don’t have anyone familiar with Enterprise Wi-Fi security or RADIUS servers you could still consider using a hosted or cloud-based service (like BoxedWireless) that runs the server for you and offers help on configuring your computers. If you're interested, you can read more about low-cost RADIUS servers.
Enterprise Wi-Fi Security Options
802.1X authentication uses the Extensible Authentication Protocol (EAP), and when searching for a RADIUS server or a hosted service you’ll have different types of EAP from which to choose. Here are the most popular types:
- PEAP (Protected EAP): This method is the most popular, easiest to implement, and it lets you create usernames and passwords for each Wi-Fi user/computer.
- TLS (Transport Layer Security): This is one of the most secure methods, but takes more to setup and maintain, and requires installing a file (digital certificate) on each Wi-Fi computer or device.
- TTLS (Tunneled TLS): An improved version of TLS that doesn't require digital certificates, but isn’t widely supported by computers and devices, and it requires third-party 802.1X clients like SecureW2.
Upgrading to the Enterprise Mode
If you’d like to upgrade to the Enterprise mode, here are the next steps to take:
- Choose a RADIUS server or hosted RADIUS service.
- Set up the RADIUS server or service with the desired EAP type and enter your AP and user settings.
- Configure your wireless router or APs with WPA2-Enterprise and enter the RADIUS server settings.
If you’re using the PEAP type of EAP, your users with Windows Vista or later will be able to simply enter their username and password when connecting. But Windows XP users may have to preconfigure the network settings before they can connect. If using the EAP types TLS or TTLS on any computer, they’ll have to first have to install a digital certificate and/or a third-party 802.1X client before connecting.
Eric Geier is a freelance tech writer. He’s also the founder of NoWiresSecurity that helps businesses protect their Wi-Fi with enterprise (802.1X) security and On Spot Techs that provides on-site computer services.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|