RADIUS Server Access Control

for WiFi Hot Spots

Source: urbangyal.com

This is a guide to RADIUS, Remote Access Dial-In User Service, how it can be used, and why you might want to use it to control access to a Local Area Network (LAN). A RADIUS server is a mechanism for regulating user access to a computer network. This article provides a high level overview of RADIUS on both Windows Server 2012 and FreeRADIUS, a popular open source alternative.

Let’s say you want to reward your best customers when they visit your cafe or restaurant. You decide to implement a member rewards program that includes free Wireless Network (WiFi) access. Many restaurants currently provide access to a WiFi hot spot using either a shared password or no password at all, but neither is a secure solution.

The RADIUS server checks the passwords entered by the users and grants or denies access as appropriate. It also keeps a record of network usage so that the restaurants’ management can see when and how much their networks are being used.

The RADIUS Protocol

RADIUS is actually a standardized protocol, not a program; it’s an interface, not an implementation. As with other Internet-related protocols, the standard is established by the Internet Engineering Task Force (IETF) and documented the following Request for Comments (RFC) specifications below:

• RFC 2138
• RFC 2865 (the RADIUS authenticating and authorizing protocol)
• RFC 2866 (the RADIUS accounting protocol)

These documents are the ultimate authority on the RADIUS protocol.

RADIUS defines a standard “conversation” for the purposes of connecting a computer to a network. One side of the conversation is the server, the other is the client.

On the client side of the protocol are a variety of devices called network access servers (NAS), which is any type of equipment that directly accepts users’ connections. For example, in a WiFi network, the access point serves as the NAS. By contrast, in an ISP’s dial-up network, the NAS is the switch that connects the receiving modems to the computers providing the dialup services like e-mail and web browsing.

Source: leaderchat.org

One essential detail of the RADIUS specification is that it uses port 1812. Port numbers are part of the TCP/IP mechanism for connecting clients and servers on the Internet.

RADIUS Benefits

RADIUS consists of computer user authentication, authorization, and accounting. RADIUS server performs a number of useful services. For example: Authentication, Authorization, and Accounting collectively called AAA.

Authentication is the process of determining the identity of a user. The most common form of authentication is by user name and password. This is the form used at the restaurant. Other forms of authentication use digital certificates, digital signatures, etc.

Authorization is the process of determining which service(s) a user is permitted to use and to what extent. It requires that the identity of the user be previously established by some authentication process. The authenticated user ID is then authorized by lookup in a file, table, database, or directory service such as LDAP such as Active Directory.

Accounting is the process of keeping track of network usage. It records the date and time of the start of each user’s session, its duration and the number of bytes transferred.

RADIUS is based on an IEEE standard for authenticated network access to wired Ethernet networks and wireless 802.11 networks. RADIUS enhances security and deployment by providing support for centralized user identification, authentication, dynamic key management, and accounting. Compared to using one password or no password at all, RADIUS offers a few advantages listed below.

1. Enhanced security when implemented properly.
2. Enhanced reporting and tracking based on client usernames, even more so when tied into a Lightweight Directory Access Protocol (LDAP) back end such as Active Directory.
3. Ability to direct user groups into a User Profile based on LDAP membership and/or RADIUS attributes. This allows you to place restrictions on specific classes of users.
4. When a user authenticates to a service set identifier (SSID) using RADIUS, that individual session is encrypted uniquely between the user and access point. This means that another user connected to the same SSID cannot sniff the traffic and acquire information because they will have a different encryption key for their connection. With a Pre-shared key (PSK) network, every device connected to the access point is on a “shared encryption” connection so they can all see each other’s traffic if they choose to do so.
5. If you need to de-authorize a particular user or device, having RADIUS makes this much easier because you disconnect a single user or device without having to change the key for everyone or allow that potential security risk of that user re-joining the network with the known access key.
6. You can assign network permissions such as VLAN, firewall policy (including application permissions), Quality of Service (QoS) settings, tunneling policies, schedules — everything within a user profile can be dynamically assigned to users based on their identity. With a pre-shared key, you only get a single user profile that everyone shares. You can assign different permissions based on the attribute returned from the RADIUS server.

Credit: Wikipedia.org

These are the fundamental elements of the RADIUS service.

AAA Process

In RADIUS, authentication and authorization are done by lookup in a database, and accounting is done by recording usage information there, too.

The sequence of events in the life-cycle of a RADIUS-mediated WiFi connection are as follows:

1. An administrator provides commands to the RADIUS server to cause it to store the name and password of a user in its database.
2. A user with a laptop connects by WiFi to the access point and requests something such as a web page, a file transfer from a remote host, a connection to a POP (email) server, etc.
3. The access point challenges the laptop user for an ID and a password.
4. The access point contacts the RADIUS server across the Internet and asks it to authenticate the user.
5. The RADIUS finds the user and password in its database, bestows its blessing, and logs the start of a new session.
6. The access point proceeds to grant the laptop user the services he or she requests.
7. When the user session terminates (whether or not by the user’s choice) the access point informs the RADIUS server which logs the end of the session.

Source qnap.com

Windows Server NPS RADIUS

For restaurant owners who already use Windows Server with domain networking, NPS role can be installed and used for free. In Windows Server 2012, RADIUS is implemented by installing a Network Policy Server (NPS) role. RADIUS is a major feature of NPS.

Microsoft’s Windows Server platform provides a RADIUS server, an economical option for those already running (or planning to run) a Windows Server. Starting with Windows Server 2008, Microsoft provided the RADIUS service with its NPS role, whereas previously it was provided by the Internet Authentication Service (IAS) role. Like most other Windows Server roles, NPS configuration is GUI-based.

The RADIUS client can be defined by using a fully qualified domain name or an IP address, but groups of RADIUS clients can’t be defined by specifying an IP address range. The Enterprise and Datacenter editions allow an unlimited number of RADIUS clients and remote RADIUS server groups, and allow defining RADIUS clients via IP address ranges in addition to a domain name or single IP.

NPS supports the basic common authentication protocols: PEAP, EAP-TLS, PAP, SPAP, CHAP, MD5, MS-CHAP, MS-CHAPv2 and EAP-MD5. Additionally, Microsoft allows plug-ins of other vendors’ EAP methods on NPS. One-time password (OTP) method is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid a number of shortcomings that are associated with traditional static password-based authentication; a number of implementations also incorporate two factor authentication by ensuring that the one-time password requires access to something a person has, such as a specific cellphone, as well as something a person knows, such as a personal identification number (PIN).

On Windows Server, if authentication and authorization are successful, users are granted access to the network resources for which they have permissions to within the Active Directory database. In fact, NPS only uses Active Directory for the user name and password database. Windows Server can also proxy requests to multiple RADIUS servers for processing. For RADIUS accounting, Windows Server can write to a text file and/or Microsoft SQL Server database. In short, Windows server offers a robust and scalable solution with many advanced features, if you need them.

Credit: Linksys

For those without Windows Server

The most widely used and popular open source alternative is called FreeRadius. It is is a free and open source RADIUS server released under the GNU General Public License Version 2 (GPLv2). Designed to run on Unix based operating systems, like Linux, it’s primarily a non-GUI server in which you adjust settings in configuration files and run the server via command line. It can serve the AAA needs of small networks with a few users or even service providers with millions of users. The installation is very simple and only takes a few minutes.

Source FreeRadius.org

There isn’t any published hardware requirement for FreeRADIUS, but generally any commodity PC can serve up to a few hundred thousand users. It can run on a variety of platforms in many different operating systems (OS), including Linux (CentOS, Debian, Mandriva, Red Hat, SUSE, Ubuntu), Solaris, and FreeBSD. Many OSs have FreeRADIUS binaries in their package repositories, making the installation simple, but they might not be updated with the latest release. In these cases you can build the packages yourself with the FreeRADIUS source code but this can be a challenge, especially for those less experienced with Unix/Linux.

Summary

Even though RADIUS was initially designed for dial up access, it is still useful today especially to control access to WiFi networks. There are versions of RADIUS for Windows Server as well as Open Source Alternatives. As RADIUS is a standardized, multi-platform protocol not a specific software. If you have questions or need more information about this topic, please leave your comments below. While you’re at it, why don’t you like and subscribe to this article if topics like this are of interest to you.