The first installment of this tutorial series introduced you to some ways in which you can implement WPA-Enterprise on your SOHO network. The second part covered the basics of setting up your own 802.1x RADIUS server. This third installment will continue by walking you through installing and configuring the Elektron RADIUS server. We’ve chosen this server software due to its relatively low cost ($750) and its user-friendly interface that’s quite easy to understand. The cost of other enterprise servers can be in the thousands of dollars and require a great deal of expertise, so this affordable, easy-to-use option is an excellent choice for small business owners working with a limited IT budget.
Downloading the Elektron RADIUS server
The first step is to visit the Periodik Labs Web site and download the software. You can take advantage of the 30-day fully functional trial before you have to purchase and enter a valid serial number. This gives you time to figure out if you really want to invest the money for the server, or if you want to compare with other servers or services.
Installing Elektron and configuring the digital certificate
After the main installation of Elektron, another wizard will open to help you perform the digital certificate configuration of the server. When you get to the digital certificate setup step, you’ll probably want to create a new certificate hierarchy if you haven’t already purchased a digital certificate. For the server name, you can really just make something up; for example you can enter WPA.yourdomainname.com or even just your name if you don’t have a Web site. The sever name, location, and other identification information you enter is used to create the certificate and will be visible when viewing the digital certificate file later.
Creating a self-signed certificate using the wizard is fine for most small business and home deployments. For maximum security and ease when configuring your computers, however, you can consider purchasing a certificate designed for WLAN authentication and signed by a trusted authority, such as Verisign. Then you would import the certificate file into the Elektron program. If you go this route, then instead of manually installing the self-signed certificate file (you created using the wizard) on all your wireless computers, your computers can validate the server’s identity using a trusted certificate authority (CA) that’s already preloaded in Windows.
Now you can access the server administration program, named Elektron Settings (below), from the new Elektron Start menu entry.
Setting up an authentication domain
You need to tell the server in which database to look up the account credentials when clients try to connect/authenticate to your wireless network. On the Elektron Settings program, under the Authentication section on the left menu, select the Authentication Domains entry. Then double-click the Default Authentication Domain entry. You’ll see a dialog box, such as the one pictured below where you can select the database where you have your account list stored.
If you don’t already have an account database, you can opt to authenticate using Elektron Accounts. Then you can add users to the built-in database, as discussed in the next section. If you have a larger and more complex network, you can set up multiple Authentication Domains. For example, clients belonging to Domain A are authenticated against the Active Directory and Domain B clients against the Elektron Accounts—or whatever suits your needs.
Adding users to the Elektron user list
If you specified that the Elektron Accounts be used, then you must populate the list with account credentials for each of your clients. Under the Authentication section on the left menu, select the Elektron Accounts entry. To add a user account, click the plus sign on the main toolbar, which will trigger a pop-up dialog box (below).
The Username and Password are the only required fields. To help distinguish the person the account is for, you can use the Real Name field. It’s best to keep the Store Password in Reversible Format option disabled. This feature is for authentication databases that use plain text passwords, which you can read more about in the Help files of Elektron. If you plan to remotely administer the server, you can check the User Can Administer Elektron option to give the particular account the ability to remotely connect with the Elektron Settings program from a computer other than the one on which the server is installed. The Account is Disabled option prevents the account from gaining access to the network. This option can be used in conjunction with the administer option to provide remote admin capability, but no network access.
The Member of section populates with any Elektron Account Groups you’ve created. Creating Elektron Account Groups, Authorization Policies, and assigning users to certain groups lets you make complex authentication schemes. For example, you could create an Employee and Management group and assign each Elektron Account to the appropriate group. Then you could create a Policy under the Authorization section to limit accounts belonging to the Employee group to using the network only between the hours of 9am to 5pm. (This is just one example of how you can use groups and policies.)
Adding access points (APs) to the Elektron AP list
There is still one crucial part left to make your WPA-Enterprise network work. You need to input the Shared Secret value and other information for each of your APs into the RADIUS server software. Under the Authorization section, select the Access Points entry. Then, to add an AP entry, click the plus sign on the toolbar, which brings up the Edit Access Point dialog box (see below).
You need to input the IP Address of the AP or wireless router into the appropriate field. This is the same address you use to access the Web-based configuration screen of the AP or router. If you have just one wireless router, this address is probably the same as the Default Gateway value shown in the connection status details of Windows. Next you can assign the AP entry with a Friendly Name for easier identification. Finally, you must type in a New Shared Secret for the particular AP or wireless router. You should use a long shared secret with mixed case and character types. However, make sure you keep this piece of information for each AP in a safe spot; later you’ll have to input it into the particular AP or router.
Stay tuned—the final installment will take you step-by-step through configuring your wireless router or APs and your computers to work with the Elektron server.
This article was first published on WiFiPlanet.com.