How to Secure Network with RADIUS Server

The Star is the most common topology in today’s network environments. This topology allows connecting all devices on the network to one or more central interfaces. The interface on the LAN network could be a router or a server. All wired devices can be connected to the server or router with a simple switch. The switch is not the central facility, it is only a „medium“ to connect the network devices.

topology_star_radius

Where and when to use Radius Server.
The most vulnerable part of any network environment are wi-fi networks and connections. Low-Security Wi-Fi network can be easily hacked and the data were stolen. The Attacker can perform network scanning and capture private information.

As a result of this security breaches, I would like to introduce to you the way, how to secure your wi-fi network with the help of the RADIUS server. This technique is cost effective,  widely implemented and is considered to be relatively secure.

The RADIUS server is a server that uses the RADIUS protocol. The Radius server uses three main services:

Authentication

Authorization

Accounting

Authentification – a process where the user is prompted to enter a username and password.

login_window_radius

Authorization – RADIUS server compares the username and password with the data available in the database, and grant or denied the access to the network

Accounting – accounting is used for any data transfer limitations  and restrictions of the download speed, which is passing trough the associated VLAN. Each client, who is logged in will be placed in a VLAN, which is provided for the group of users. For VLAN network, it can define different restrictions. These restrictions operate at the virtual port, which is VLAN assignment. VLAN in the network can accommodate dozens of user profiles. The client is one point in time not be placed in two VLAN networks. If he wants to go to a different VLAN network, you need to log in again to net another username and password.

Wi-Fi 802.11 below, includes a WiFi network with WPA / WPA2 (WiFi Protected Access). Both networks use the authentication process using the PSK (pre-shared key) or WPA-Enterprise. WPA-Enterprise uses TKIP with RC4 encryption while WPA2-Enterprise adds AES encryption.

WPA/WPA2 Enterprise is used together with a RADIUS server, which is located on the network behind the router. AP router must support WPA / WPA2 Enterprise.

login_8021x_radius

WPA / WPA2 is also included in 802.1X, it’s the type of centralized security standard for enterprise Wi-Fi networks.

How to implement the Radius Server.
RADIUS server is used by thousands of regional Internet providers around the world. Use of the tunneling protocols such as PPTP, L2TP for proof of identity at the PPP connection is very common.

pppoe

The DSL lines providers are using PPPoE. Radius servers are used mainly for their accounting services. As a part of this service provider will mainly limit the internet speed and link aggregation.

What software can be used for common Radius server?
Linux Zeroshell is strongly recommended. It is a comprehensive operating system, which allows providing OEM services. In addition, the operating system can find other programs,and services such as VPN, DHCP, DNS, Captive Portal, Net Balancer, QoS, etc.

zeroshell_management

Linux Zeroshell can be installed directly from the USB. The software has to be downloaded from the site zeroshell.org. The LiveCD is a CLI  (Command Line) script, which can unpack the image of Zeroshell Linux from a USB key storage on the hard disk. After this process, the system can be accessed directly from the server, where the software is installed.

All settings such as Static / Dynamic IP, GATEWAY can be found in the router settings .

zeroshell_web_gui

Linux Zeroshell also offers a web interface, where you can set up and access all services. The first step is to configure private IP addresses in the web interface.

It is necessary to set up servers address 192.168.1.2 (192.168.1.1 is on IP router / AP – Gateway, provided on a 24-bit mask – 255.255.255.0). The RADIUS server provides pairing with an access point supporting WPA2 Enterprise with a shared secret.

shared_secret

Shared Secret is any string of characters shared by both devices. The server also provides export .PEM key within the certificate. Certificates will be installed on each client computer that should have access to the network. The RADIUS server verifies the certificate for the purpose of authentification. This authentification follows the path of the server settings, if that doesn’t match, or the client can’t be found, the access will be denied.
Zeroshell Linux can also run on old computers, it has a minimal load on the computer’s hardware.
Minimum requirements for the smooth running of services is:

CPU: 223Mhz
GPU: VGA
RAM: 96 MB
HDD:: 1,5GB (min)
NIC: compatible network card

If you want to make a RADIUS server from an old computer, you can use half-duplex network card too. Verify process is really fast, it will take not more than 10 seconds. When I tested RADIUS server it was on a very tiny level of RAM usage, it really was 88 MB with running services: RADIUS, Accounting, DHCP, DNS. This software has no limits. There is no limiting the number of connections to the network via 802.1x. To reduce the limit of the network, we can use MAC address filtering or IP address filtering. Limit of LAN network is mostly limited by low-cost routers and network mask. RADIUS server supports each class of IP, especially each mask.

How to set up an AP/ROUTER
The access point or Router is a device that emits wifi in the room or in the Office. It is necessary to set the WAN network after authentication to be able to access the Internet. The LAN is necessary to set up DHCP, and especially include all internal addresses. AP router is the DNS for the whole network if the network does not use a separate DNS server.

static_ip

When setting up Wi-Fi network, you can find the 802.1x and WPA / WPA2 Enterprise. This is a completely identical standard. When this standard states the IP address of the RADIUS server, the standard automatically shares the shared secret too. If you want to set up 802.1x security for cable internet connection, you must use managed Switch from Cisco or Mikrotik.

Routers from Mikrotik also provide Captive Portal as WRT function. It is login page right in your web browser. WRT function can redirect you to HTML/PHP page, where are some input arrays where you can enter your login information. Captive Portal is the same function like WRT, but Linux Zeroshell is for free, Mikrotik routers not, they are so expensive and of course, if you want to make Hotspot place with login page you must use multiple routers, not only one.

Verification
The login process to the network controls the supplicant. This service prompts the user to enter a username and password. This report with a username and password is encapsulated as EAPoL and is transmitted in a TLS tunnel with 256-bit encryption.

peap_ssid_profile

In Windows 7 you must set up 802.1x in the profile of the wireless network. This message is sent to the AP and the process proceeds to MAC addresses because the client does not have assigned IP address. Radius server decrypts the message, as they both share the same symmetric encryption key. EAP (without oL) is sent to the AP through the Radius TLS tunnel formed between the static IP of the server and the router. After verification of the username and password sent to the server, the access is accepted or denied.

dhcp

The result is  to inform AP / router if the access is granted with the assigned IP addresses. After the allocation of an IP address, the  supplicant communicates with the RADIUS server, where the valid certificate must be located. If access is granted the flow of communication is established to all ports and the symmetric key is created.

Verification of the username and password is done through PEAP, this is the Protected EAP (Extensible Authentication Protocol). The second step is verifying and certifying provided symmetric key via MSCHAPv2. Both steps are encrypted in a TLS tunnel.

Modern operating systems such as Windows 8, 10, or Android, iOS may not have the certificate installed, they can obtain it from the RADIUS server. Windows XP does not have support for this standard. You can easily install it via SP3 package.

Advantages and disadvantages of WPA2 Enterprise

Advantages:

Verifying username and password

256-bit AES encryption

Account creation

sided with MSCHAPv2 authentication

support older computer as a server
Disadvantages:

The inability to limit one user per one account

Necessary to set up network profile for the older OS

Implementing only for wireless network with Linux Zeroshell as RADIUS OS

 

Leave a Reply