9.5 RADIUS Authentication | The Practice of Network Security: Deployment Strategies for Production Environments

Configuring access points to use RADIUS to authenticate users can further enhance wireless network security. RADIUS authentication gives network administrators much more granular control over network access through WLAN access points.

RADIUS authentication is not supported by all access points and is not required as part of the 802.11 standard. However, the security risks inherent in the 802.11 standard have encouraged many vendors to include RADIUS support. Access points from vendors such as Cisco, Linksys, Lucent, and Proxim include RADIUS capabilities, and RADIUS software from Funk Software, and others, includes special extensions to support wireless RADIUS authentication.

The authentication process with RADIUS is outlined in Figure 9.3. A user connects to an access point and the network card authenticates using SSID, WEP, or both. A RADIUS request is then forwarded from the access point to a RADIUS server. The RADIUS server authenticates the user , who is now able to pass traffic across the network. For redundancy a second RADIUS server can be added to the access point. If the primary server fails, users will be automatically forwarded to the secondary server.

Figure 9.3. A WLAN network using RADIUS authentication. The RADIUS server forces WLAN users to authenticate before gaining network access.

graphics/09fig03.gif

As expected, if a user is unable to authenticate to the RADIUS server, he or she is not granted access to the network. RADIUS authentication prevents unauthorized users from gaining network access through the WLAN. It also puts WLAN users on the same level as other users on the network; they have to log into the network in the same manner as everyone else.

RADIUS authentication, when used in conjunction with a strong password policy, helps to deter unauthorized users from gaining access to network resources. Unfortunately, RADIUS authentication will not solve the problem of attackers scanning the wireless spectrum looking for data, because RADIUS does not encrypt data. RADIUS authentication is generally used when authentication is more of a concern than encryption.

It is not a good idea to use RADIUS authentication as the only form of WLAN security. Administrators sometimes enable WLAN RADIUS and then disable the existing security functions. This makes it easier for users to log into the network, but it lessens WLAN security. Even though WEP security is severely flawed, it is still better than broadcasting data in clear text.

RADIUS should generally be used in conjunction with WEP, and, if possible, MAC address filtering. WLAN traffic should also be segmented. If possible, all access points plug into the same switch or group of switches. Keeping WLAN traffic segmented in this manner helps to limit the damage an attacker can do, if the WLAN security is breached.