RADIUS is a C/S-structured Protocol. Its client is initially a NAS (Net Access Server) Server. Now, any computer running the RADIUS client software can become a RADIUS client.
The RADIUS Authentication mechanism is flexible and supports multiple methods, such as PAP, CHAP, and Unix logon authentication. RADIUS is an extensible protocol that performs all the work based on the vector of Attribute-Length-Value. RADIUS also allows the vendor to expand the manufacturer's proprietary attributes.
I. Generally, we are running Active Directory of Windows Server 2003 or later. Generally, we can set the network (including 802.1X and any digital certificate) through the Group Policy) distribute to windows XP and machines that subsequently join the domain.
However, for machines that are not in the domain, such as laptops, smartphones, and tablets provided by users, there are also other solutions for you to choose from, in addition to manual user configuration, note that the RADIUS server uses the Certificate Authority's root certificate, the user certificate if EAP-TLS is used, and the network and 802.1X settings.
2. We can use the free SU1X 802.1X configuration and deployment tool for Windows XP (SP3), Vista, and Windows 7. You need to go to settings and preferences, capture network information from the PC where the network has been set, and then this tool will create a wizard, you can run this wizard on your computer to automatically configure the network and other settings. This tool supports the distribution of root certificates and network and 802.1X settings.
In addition, you can configure it to add/delete other network configurations, modify network priorities, and enable NAP/SoH. This tool can even configure automatic or manual proxy server settings for IE and Firefox, and add/delete network printers.
3. Commercial Products Used for 802.1X configuration and deployment include XpressConnect, ClearPass QuickConnect, and ClearPass Onboard, xpressConnect supports root certificates, other user certificates, and 802.1X (PEAP, TLS, and TTLS (Channel Transport Layer Security) on the network and Windows, Mac OS X, Linux, Android, and iOS devices )) set the distribution.
For TTLS, it also supports SecureW2 TTLS Client installation. XpressConnect is a cloud computing-based solution. You can define your network settings on the web console, and then it creates a wizard that You can distribute to users.
4. Both ClearPass QuickConnect and ClearPass Onboard support distribution of the root certificate and network, and 802.1X (PEAP, TLS, and TTLS) on Windows, Mac OS X, Linux, Android, and iOS devices. ClearPass QuickConnect is a cloud computing-based service that does not support distributing any user certificates.
ClearPass Onboard is a software module for the ClearPass Policy Manager platform. It supports user certificate distribution. For some mobile operating systems, there are also dedicated solutions for you to distribute 802.1X and other network settings.
5. Protect 802.1X client settings. 802.1X is vulnerable to man-in-the-middle attacks. For example, an attacker can set a duplicate Wi-Fi signal through the modified RADIUS server, and then connect the user, to capture and track user login information. However, you can safely configure client computers and devices to prevent such attacks:
1. Verify the server certificate: This setting should be enabled. Select the Certificate Authority used by your RADIUS server from the list box. You can ensure that the RADIUS server used by the network to which the user connects has the server certificate issued by the certificate authority.
2. Connect to these servers: This setting should be enabled. Enter the domains listed on the certificate of your RADIUS server. You can ensure that the client can only communicate with the RADIUS server with the server certificate.
3. Do not prompt the user to authorize a new server or a trusted Certificate Authority: it should be enabled to automatically deny the location of the RADIUS server, rather than prompting the user that they have the ability to accept and connect.
6. In Windows Visat and later versions, the first two settings should be automatically enabled and configured when the user logs on for the first time. However, the last setting should be enabled manually or by using group policies or other distribution methods. In Windows XP, you must manually configure all settings, or you can use group policies or other distribution methods.
7. Protect the RADIUS server. Do not forget the security of the RADIUS server. After all, it is the main server for verification.
Consider using a separate server as the RADIUS server to ensure that its Firewall is locked and use encrypted links for any database connection of the RADIUS server located on another server, when generating shared secrets, you need to enter the list of NAS (Network Access Server) clients or the RADIUS server database to use powerful secrets.
Because users do not have to know or remember them, they can use very long and complex secrets. Remember that most RADIUS servers and NAS devices support up to 32 characters.
802.1X is vulnerable to man-in-the-middle attacks, especially user passwords. Therefore, ensure the security of your passwords. If you have a Directory service similar to Active Directory, You can execute a password policy to ensure that the password is complex enough and regularly changed.