Although you could deploy a standalone RADIUS server, you should first check if your other servers (like a Windows Server) already provide this function. If not, consider a cloud-based or hosted RADIUS service. Also keep in mind that some wireless access points or controllers provide a basic built-in RADIUS server, but their performance limits and limited functionality typically make them only useful for smaller networks.
An example of how you'd configure the APs with the RADIUS server’s IP, port and secret. Credit: CloudTrax
Secure the 802.1X client settings
Like other security technologies, the enterprise mode of Wi-Fi security still has some vulnerabilities. One of these is man-in-the-middle attacks, with a hacker sitting in an airport or cafe, or even outside in the parking lot of a corporate office. Someone could set up a fake Wi-Fi network with the same or similar SSID as the network they’re trying to imitate; when your laptop or device attempts to connect, a bogus RADIUS server could capture your login credentials. The thief could then utilize your login credentials to connect to the real Wi-Fi network.
A way to prevent man-in-the-middle attacks with 802.1X authentication is to utilize server verification on the client side. When server verification is enabled on the wireless client, the client won’t pass your Wi-Fi login credentials to the RADIUS server until it verifies it’s communicating with a legit server. The exact server verification capabilities and requirements you can impose on the clients will vary, depending upon the device or OS of the client.
In Windows, for instance, you can enter the domain name(s) of the legit server, select the certificate authority that issued the server’s certificate, and then choose to not allow any new servers or certificate authorities. So if someone has set up up a fake Wi-Fi network and RADIUS server and you try to log on to it, Windows will stop you from connecting.
You find the 802.1X server verification feature in Windows when configuring the EAP settings of the Wi-Fi connection. Credit: Microsoft
Use rogue-AP detection or wireless intrusion prevention
We’ve already touched on three vulnerable access point scenarios: One where an attacker could set up a fake Wi-Fi network and RADIUS server, another where someone could reset an AP to factory defaults, and a third scenario where someone could plug in their own AP.
Each of these unauthorized APs could go undetected by IT staff for a long period of time if proper protection isn’t put in place. Thus, it’s a good idea to enable any type of rogue detection offered by your AP or wireless controller vendor. The exact detection method and functionality vary, but most will at least periodically scan the airwaves and send you an alert if a new AP is detected within range of the authorized APs.
Sign up for Computerworld eNewsletters.