Deploying and supporting the 802.1X authentication protocol in the network is a challenge. Here are some tips to help you save some time and cost.
1. Consider using a free or low-cost RAIUS Server
For small and medium-sized networks, you do not need to spend too much money on RADIUS (Remote Authentication dialing User Service) servers. First, check whether your router platform, directory service, or other services provide RADIUS/AAA (identity authentication, authorization, and account ). For example, if you are running the Active Directory domain of Windows Server, check Windows Server 2003 R2 and earlier versions of Internet Authentication Service (IAS, Internet Authentication Service) or the Network Policy Server (NPS) component of Windows Server 2008.
If your current server does not provide the RADIUS function, there are still many free and low-cost servers available:
FreeRADIUS is a completely free open-source product that can run on Linux or other Unix-like operating systems. It supports up to millions of users and requests. By default, FreeRADIUS has a command line interface, which is implemented by editing the configuration file. Its configuration is highly customizable and because it is an open-source product. You can also modify the software code.
TekRADIUS is a shared software server that runs on Windows and provides a GUI. The basic functionality of this server is free, and you can also purchase other versions to get EAP-TLS and dynamic self-signed certificates (for protected Extensible Authentication Protocols (PEAP) session, VoIP Billing, and other enterprise functions.
Two low-cost commercial products, ClearBox and Elektron, run on Windows and provide 30-day free trial.
Some access points are even embedded with RADIUS servers, which is very useful for small networks. For example, HP ProCurve 530 or ZyXEL NWA-3500, nwa1_6 or NWA3160-N.
There are also cloud computing-based services, such as AuthenticateMyWiFI, which can provide RADIUS servers for 802.1X. This service is very useful for enterprises that do not want to invest time and resources to build their own servers.
2. Deploy 802.1X protocol for both wired networks
You may deploy 802.1X authentication to better protect your wireless LAN through the WPA or WPA2 Secure Enterprise mode. However, you should also consider deploying 802.1X authentication for the wired end of the network. Although this does not provide encryption for wired connections (IPsec Encryption is considered ), however, it will require those connected to Ethernet to authenticate before accessing the network.
3. purchase a digital certificate
If you have deployed PEAP for the 802.1X EAP type, you must also load the RADIUS server and digital certificate (for optional but important server verification), which can help prevent man-in-the-middle attacks.
You can use your own Certificate Authority to create a self-signed Certificate, however, the root certificate of your certificate authority must be loaded to the end user's computer and device for server verification.
Generally, You can distribute the root certificate of the Certificate Authority to the management computer. For example, if you are running Windows Server 2003 or a later version of Active Directory, you can use a group policy to distribute the certificate. However, for non-domain and BYOD environments, certificates must be manually installed or distributed in another way.
You can also consider buying a digital certificate from a third-party Certificate Authority (such as VeriSign, Comodo, or GoDaddy) trusted by Windows and other operating systems for your RADIUS server, in this way, you do not have to worry about distributing root certificates to computers and devices.