The Remote Authentication Dial-In User Service (RADIUS) protocol is a client/server security protocol defined in the IETF's RFCs 2138 and 2139. RADIUS allows network managers to reduce the risk of distributing security information across many devices by centralizing authentication and permission attributes in a single server. You can use a RADIUS server to authenticate the Media Access Control addresses of your 802.11b network cards--giving you complete control over who has access to your wireless network.
Robert Currier is the Director of Data Communications at Duke University.I'll be discussing the GNU General Public License server from the FreeRADIUS project in the following examples. FreeRADIUS is similar to the Livingston 2.0 and Cistron RADIUS servers but is considerably more configurable and has a number of additional features.
FreeRADIUS is available in source code format only. Fortunately, the source code is well written and compiles under Linux or Solaris without difficulty. Simply uncompress the code tar xvfz radiusd-cistron-1.6-stable.tar.gz, change to the src directory, copy the appropriate makefile for your operating system--cp Makefile.lnx Makefile--and run make and make install.
The RADIUS server uses two files to control access rights: /etc/raddb/clients and /etc/raddb/users. The clients file contains a list of clients that are allowed to use the RADIUS server to authenticate users. You need to add the IP address and password for each access point on your wireless network to this file. A typical entry looks like this:
|
The key needs to match the RADIUS password on the access point that's being authenticated. If an access point isn't listed in the clients file or the key is mismatched, it will be denied access and users won't be able to log into the wireless network.
The /etc/raddb/users file contains a list of authorized MAC addresses. A RADIUS server is typically used to authenticate dial-up users and requires a username and password to be defined in the users file. In this case, the username is the MAC address of the wireless network card and the password must match the RADIUS password on the access point. Any mismatch will result in the user being denied access to the network. A typical users entry looks like this:
- #Access point Woodstock
- 00601d-1c54d8 Auth-Type = Local, Password = "testing123"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
- #Bob's Orinoco card
- 00022d-08da85 Auth-Type = Local, Password = "testing123"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
The first entry contains the MAC address of the wireless card installed in the access point Woodstock--all access points must have an entry in the users file or they won't be able to access the RADIUS server. The second entry shows a typical user profile--in this case, it's my Lucent Orinoco Silver PCMCIA card.
After you've added all the access points to the clients file and entered MAC addresses in the users file, simply restart the RADIUS server with the command kill -HUP process-id, you still need to configure each access point to use the RADIUS server. If you're using the Lucent AP-1000 it's a straightforward procedure: Use Lucent's access point management software to connect to the unit, click on the "access control" tab and check the Edit RADIUS box. Enter the IP address of the RADIUS server and the password you defined in the clients file, R reboot the access point and you're done.
You should now have an operating RADIUS server and access points that deny access to unauthorized users. Spoofing IP addresses won't work--MAC addresses that don't successfully authenticate are not allowed to pass through the access point. Your wireless network is now secured against interlopers.
