Set Up an Internal RADIUS Server (Part 1) Small businesses can save money and beef up security by purchasing an access

point with a RADIUS server built in. We tell you how to set one up using the ZyXEL NWA3160 as an example. A RADIUS server, required for the 802.1x authentication, can be obtained in a few ways, one of which is to purchase an access point (AP) with one built in. Going this route provides a low-cost, easy-to-setup, solution for small businesses looking to build an extremely secure, but affordable, Wi-Fi network. Instead of spending $600+ (up to thousands of dollars) for a traditional RADIUS server, a small business or individual consumer can purchase an AP that includes a simple RADIUS server for just $100 to $200. In this new two-part tutorial, we will walk readers through step-by-step instructions for setting up an APs internal RADIUS server. For this series, we used the NWA-3160 AP from ZyXEL. The beauty of this solution is the simplicity of the money-saving workaround. Even if you already have an existing wireless network, you can add a single NWA-3160 (or another other similar AP) and use its RADIUS server for the network, enabling 802.1x authentication and WPA-Enterprise encryption implementation at a fraction of the cost of a traditional server. In other words, only one NWA-3160 is needed; it can serve as the RADIUS server for all the other APs on the network. If yours is a very basic WLANbased on a single wireless routerthe NWA-3160 should be connected to the router via one of the Ethernet ports on the back. Then you can follow the steps in this tutorial. For larger Wi-Fi networks, the ZyXEL AP could be added anywhere along the string of existing APs. The other APs on the network should then be configured to use the internal RADIUS server of the

NW-3160. If you are currently in the process of designing an advanced Wi-Fi network, the NWA-3160 can be chosen as the model for all the APs, even though only one is required for using its internal RADIUS server. In Part I of this tutorial, well get the NWA-3160 talking with the existing network, turn on the internal RADIUS server, and get the digital certificate for the server and clients sorted out. Part II will conclude by stepping through setting up the APs and preparing the clients for the connection. Configure the basic settings Before beginning the configuration of the internal RADIUS server, we need to set the basic (LAN) settings to make the AP apart of the existing network. First, plug the AP into an electrical outlet and connect wirelessly to the AP from a computer. Since the AP cant give an IP address to the computer (as it doesnt have a DHCP server) and the AP isnt set up to communicate with the router (that hands out IP addresses from its DHCP server), an IP address would not be given to the computers network adapter. For now, well configure the network adapter of the computer with a static IP address and subnet mask that is within the same default subnet of the AP. For example, an IP address of 192.168.1.3 and subnet mask of 255.255.255.0 would work for the NWA-3160, as Figure 1 shows.

Figure 1 Then access the Web-based configuration utility by entering the APs default IP address (192.168.1.2 for the NWA-3160) into a Web browser and use the default password (1234 for the NWA-3160) to login. Now go to the IP section and change the APs default IP settings (see Figure 2) to match your existing network.

Figure 2 If the IP address of the router on the existing network is 192.168.1.1, just leave the default IP address and subnet mask of the AP, but enter the routers IP address for the gateway IP address value. Keep in mind, IP addresses must be unique. Therefore, if setting up multiple APs, the following addresses could be set for different APs: 192.168.1.2, 192.168.1.3, 192.168.1.4, 192.168.1.5, and so on. If the routers IP address is 192.168.0.1, the following addresses would work for the APs: 192.168.0.2, 192.168.0.3, 192.168.0.4, and so on. In most cases, the subnet mask of 255.255.255.0 will work with any router IP address. Remember, the gateway IP address is the address of the router on the network. After the appropriate IP settings have been set for the AP, computers connecting to the new AP(s) will now be given IP addresses automatically. That is if the DHCP server on

the router of the network hasnt been disabled and a static IP address scheme created. If the network is using DHCP, the computer that was used to set the APs initial settings can be set back to obtain an IP address automatically; it doesnt need to be configured with a static address anymore. If the network is not using DHCP, the network adapter can changed to the appropriate static IP settings. To finish the basic install of the AP, find an optimum spot for the AP and connect it to the existing network (a router or switch) via an Ethernet cable. Enable the internal RADIUS server After configuring the AP to work with the existing network, access the settings for the internal RADIUS server by clicking the AUTH. SERVER link from the Web-based configuration screen. Make sure the Active check box is marked (see Figure 3), which enables the server.

Figure 3 Next, click the Trusted AP tab and enter the IP addresses of all the APs on the network, each with a unique shared secret. Figure 4 shows an example. Dont forget to click the Active check box for each AP entry.

Figure 4 Tip: When creating shared secrets for APs, choose a long mixed-character and mixed-case password, specifically up to 31 alphanumeric characters. Later, these passwords are entered into the APs and are essential to encrypting the network; so keep a copy of them in a safe place. The same goes with the account passwords, which can be up to 14 characters in length; use strong passwords and keep them safe. Next, select the Trusted Users tab and create a user name and password for each person who will access the network, being sure to selecting Active for each entry. These are the username and password combinations that users will use when connecting to the Wi-Fi network. Configure and distribute the digital certificate

Our setup is designed to have the wireless clients verify the identity of the RADIUS server before a connection is established. This helps to prevent the possibility of someone setting up a fake or rogue AP to extract the usernames and passwords people use to connect. Digital certificates are used for this verification process. The certificate loaded on the RADIUS server must be from a certificate authority (CA) thats trusted by the computer, such as VeriSign. When a self-signed certificate is used instead (such as the one the NWA-3160 creates), users typically have to manually install the certificate on the computer in order for the verification process to work. This is because the certificate is not from a CA that the computers automatically trust. We can load a certificate on the RADIUS server of the AP by either using the built-in utility of the NWA-3160, which creates a self-signed certificate, or by uploading a certificate purchased by a third-party CA. If using the builtin utility, make sure to replace the factory certificate with one that is unique. This certificate (which is based upon the NWA-3160s MAC address) can be created after logging into the AP for the first time, on the Replace Factory Default Certificate page that appears. If this step was skipped or ignored, another option is to go to the CERTIFICATES section of the APs configuration screen and click the Replace button. To upload a third-party certificate, click the Import button in the CERTIFICATES section. If using a self-signed certificate, each Windows computer that will use the WPA-Enterprise network will need to have the same digital certificate installed. If a certificate was purchased from a CA that Windows automatically recognizes, this isnt necessary however. In addition, installing the certificates (whether self-signed or not) on Mac OS X machines isnt required.

The first step to get the self-signed certificate on the Windows computers is to export the server certificate to a .crt file. On the CERTIFICATES section of the APs configuration screen, click the Details button, scroll down the details page, and click the Export button. On the Save As box, browse to a location to save it, add the .crt extension to the file name, and click Save. To install the certificate on a Windows computer, right-click the .crt file and choose Install Certificate. On the Certificate Import Wizard that appears, click Next. Then select the Place all certificates in the following store option, click Browse, choose the Trusted Root Certification Authorities store, and click OK. Then click Next to move to the next screen and click Finish from there. Set Up an Internal RADIUS Server (Part 2) Part 1 describes the setting up the built-in RADIUS server of the ZyXEL NWA-3160 AP, we walked readers through the initial IP configuration, so the AP can join the network. We also enabled the internal RADIUS server and inputted the AP and user information, and created a self-signed digital certificate that we installed on the server and our PCs. Now that the server side of the setup is completed, we will configure the APs and PCs with the appropriate settings in this final installment of this two-part series. Our goal is to provide affordable, enterprise-level WPA encryption with 802.1x authentication. Soon well have a bullet-proof wireless network up and running, for a fraction of the cost and time it takes to set up a traditional RADIUS server. Enable WPA/802.1x on the APs The first step is to configure the APs (and wireless router, if one exists on the network) to use the WPA Enterprise encryption method and set the 802.1x/RADIUS settings.

For more advanced APs, such as the NWA-3160, profiles are used. The security and RADIUS settings are applied to respective profiles and then they can be applied to a wireless profile. APs and wireless routers that are more basic have all the encryption and 802.1x settings on tab labeled Wireless or Wireless Security (or something similar), such as shown in Figure 1 (below).

Figure 1. Though we will discuss exactly how to configure the ZyXEL AP, here are the basic guidelines to follow when setting up any APs or wireless routers:

Enable WPA encryption: Select either WPAEnterprise or WPA2-Enterprise (in some cases just

referred to as WPA or WPA2), depending upon the version supported by the wireless clients. Some APs support a mixed mode where both WPA versions can be used concurrently. Choose the algorithm or cipher type: Select TKIP if using WPA, AES if using WPA2, or both (or Auto) if using WPA-mixed mode. Enter the RADIUS server IP address: This is the IP address of the NWA-3160 that is hosting its internal RADIUS server. Enter the RADIUS server port: If the port of the NWA-3160s internal RADIUS server hasnt been changed from its default, enter 1812 for the port; otherwise enter the custom port. Enter the shared secret: Enter the password created for the specific AP, defined earlier when the trusted APs were entered into the ZyXEL AP.

To configure the NWA-3160 with WPA-Enterprise to use its own internal server for authentication, follow these steps: 1. Login to the Web-based configuration utility, click the Wireless section, and choose the RADIUS tab. 2. For the Primary RADIUS Option, check the Internal radio button (see Figure 2) and click Apply.

Figure 2. 3. Choose the Security tab. 4. Select the security01 profile, and click Edit. 5. For the Security Mode, choose WPA and click Apply. Now the ZyXEL AP is set to use its very own RADIUS server for the 802.1x authentication process. If multiple NWA-3160s are on the network, follow these steps to set up the others to use the NWA-3160 thats hosting its internal RADIUS server: 1. Login to the Web-based configuration utility, click the Wireless section, and choose the RADIUS tab. 2. For the Primary RADIUS Option, check the External radio button and mark the Active checkbox. 3. Enter the IP address of the ZyXEL AP thats hosting the RADIUS server, enter the server port (by default, 1812), enter the Shared Secret for this particular AP, and click Apply. See Figure 3 for an example.

Figure 3. 4. Choose the Security tab. 5. Select the security01 profile, and click Edit. 6. For the Security Mode, choose WPA and click Apply. This AP is now set up to use the internal RAIDUS server of the other ZyXEL AP. Configure the wireless clients with the WPA/802.1x settings Once all the network infrastructure components are set with the appropriate encryption and authentication settings, the wireless clients can be configured. In Windows, this requires the administrator or user to manually create a profile (or preferred network entry) for the network, in order to set the 802.1x settings. After this initial configuration, users can connect to the network like any other wireless network and enter their username and password for access to the network. Follow these steps to configure Windows XP with the appropriate settings:

1. Double-click the wireless network icon in the system tray. If the icon isnt visible, click Start, Network Connections, right-click the wireless connection, and select Properties. 2. On the Local Area Connection Status window, click the Properties button. 3. On the Local Area Connection Properties window, select the Wireless Networks tab. 4. If an entry already exists for the network name or SSID of the WPA-enabled wireless network, select it and click Properties. If no entry exists, click Add. 5. On the Association tab of the Wireless Network Properties window: a. Enter the desired SSID or network name, if adding a new entry. b. Select WPA or WPA2 for the Network Authentication field, based upon what version is set up on the RADIUS server. c. Choose TKIP for the Data Encryption field if using WPA or AES if using WPA2. 6. On the Authentication tab (see Figure 4): a. Ensure Protected EAP (PEAP) is chosen for the EAP Type b. De-select both of the other checkboxes, unless the RADIUS server is specifically set up to accommodate these situations.

Figure 4. 7. On the Authentication tab, click the Properties button and follow these steps on the Protected EAP Properties window (see Figure 5): a. Check the first checkbox, Validate server certificate. b. Uncheck the second checkbox, Connect to these servers. c. Select the CA certificate thats installed on the APs internal RADIUS server from the list. If the APs self-signed certificate was used, it should start with NWA-3160, followed by the APs MAC address. d. Select Secured password (EAP-MSCHAP v2) for the Select Authentication Method field and click the Configure button. On the dialog box that appears, uncheck the option labeled Automatically use my Windows logon name and password (and domain if any), and click OK. Figure 5 shows both of these windows.

Figure 5. 8. Click OK on each of the windows to save the network settings. Though configuring the network in Windows Vista is similar, here are the exact steps: 1. Right-click the network icon in the system tray and select Network and Sharing Center. 2. On the Network and Sharing Center window, click the Manage wireless networks link on the left task pane.

3. If an entry already exists for the network name or SSID of the WPA-enabled wireless network, doubleclick it and skip to Step 6. If no entry exists, click Add and proceed with the steps as usual. 4. If adding a new entry, click Manually create a network profile on the window that appears, enter the settings for the network, and click Next. 5. On the Successfully Added window, click Change connection settings. 6. On the Wireless Network Properties window, select the Security tab, and follow these steps: a. Ensure the security and encryption types are set correctly, based upon what version is set up on the RADIUS server. b. Uncheck or check the checkbox option as desired to save the user name and password when connecting. c. Ensure Protected EAP (PEAP) is chosen for the network authentication method. 7. Click the Settings button and on the Protected EAP Properties window, follow these steps: a. Check the first checkbox, Validate server certificate. b. Uncheck the second checkbox, Connect to these servers. c. Select the CA certificate thats installed on the APs internal RADIUS server from the list. If the APs self-signed certificate was used, it should start with NWA-3160, followed by the APs MAC address. d. Select Secured password (EAP-MSCHAP v2) for the Select Authentication Method field and click the Configure button. e. For the Select Authentication Method field, make sure Secured password (EAP-MSCHAP v2) is selected and click the Configure button. On the dialog box that appears, uncheck the option labeled Automatically use my Windows

logon name and password (and domain if any), and click OK. 8. Click OK on each of the windows to save the network settings. Connecting to the WPA/802.1x wireless network After configuring the networks settings in Windows, select the network from the available wireless networks list, just like when connecting to other Wi-Fi networks. A notification in the lower right corner of Windows will appear about entering log-in credentials; click this alert. On the Enter Credentials dialog box that appears, enter a user name and password of an account set up on the APs internal RADIUS server, leaving the Logon Domain field blank, and then press Enter. SUMMARY In Part 1, we configured the ZyXEL APs internal RADIUS server; in Part 2, we setup the APs and clients. If all went as planned, your computers should be able to connect to the 802.1x authenticating and WPA-encrypted network now. Though Wi-Fi eavesdroppers wont be able to crack the encryption, remember well always have security concerns. Make sure users keep their username and password to themselves; they are the key to the network now. However, remember these login credentials can always be changed if they, or a computer, have been comprised.