QNAP RADIUS Server
A fair number of the people reading this are probably asking themselves, “What’s a RADIUS Server, and why is it in capital letters?” RADIUS is in capital letters because it’s an acronym for something that doesn’t matter. It’s doubtful that 1 out of 100 network managers who operate a RADIUS server know what it stands for, so don’t worry about it. Everyone calls it a RADIUS server. Nobody would know what you were talking about otherwise.
The better question is “What’s a RADIUS Server?” A RADIUS Server, as described here, is a tool used to provide a higher level of wireless security for your wireless network. It’s also referred to as 802.1X, although that’s technically a security protocol used by RADIUS. Your router calls it WPA2/Enterprise. It’s one of the wireless security methods available on most of the higher quality routers, although not all high level wireless routers offer WPA2/Enterprise.
Most wireless routers use WPA2/AES security. This uses the pre-shared key / password you type into your router and your wireless device so you can access the network. Providing you use a complicated key and keep it a secret, WPA2/AES is still secure. You can hack it using a dictionary attack, in which a hacker uses a long list of words, one at a time, to try to get in. Or you can ask a 10 year old who has access to a secured wireless device to see if there’s a check-box to unscramble the key. Basically, one password provides network access to anyone who knows it. (Note: WPA2/PSK refers to a pre-shared key. WPA2/AES requires a pre-shared key and refers to an encryption method.)
WPA2/Enterprise requires a RADIUS server to connect to the network. A RADIUS server is a separate computer, in this case a smart network storage device. It holds configuration information (0bviously) AND a list of authorized users who can access the wireless network. A RADIUS server requires a user id and password for a wireless device to attach to the network, not just a commonly available secret password.
802.1X security uses SSL certificates to encrypt the wireless communication between the device and the server, providing a higher level of wireless security.
In other words, WPA2/AES allows anyone with the wireless network SSID and the password to connect to the network. (Assume away MAC address filtering since MAC address spoofing is easy to do, providing you know the MAC address of a device in the list.) WPA2/Enterprise allows only authorized users to connect to the wireless network and uses better wireless encryption.
Sounds Cool. I’ll Put It On All My Wireless Devices.
No, you probably won’t.
As mentioned earlier, some routers don’t support WPA2/Enterprise, even if you paid a lot for it. Most do, but don’t take for granted that the one you want does. Read the specs on the manufacturer website or download the user guide to see the full range of capabilities.
Not all devices support WPA2/Enterprise. Your phone and tablet probably do, but your DLNA enabled DVD player or media server may not.
If you have a guest network, it may not support WPA2/Enterprise or, if it does, you will need to add a user id and password for each guest who uses it. Then your guest will have to go through additional steps to log in, as compared to normal, everyday WPA2/AES.
Logically thinking, if you use a guest network for devices that don’t support WPA2/Enterprise and 802.1X for those that do, then your network is really operating at the lower level even though a few devices are at a higher level. You really have to think your network through before implementing a RADIUS server and integrating a guest network for devices that fall through the cracks. You’ll need a router that restricts network access for wireless guest networks and possibly a wireless client bridge that supports wired access for media devices.
It’s best to use a RADIUS server where you have a limited number of users and you can control what it’s used for, such as in a business or a home network that isn’t a crazy quilt of wireless devices.
How To Set Up a QNAP RADIUS Server
RADIUS requires SSL. As a prerequisite, please attend to SSL certificate management. You’ll probably get an SSL certificate warning when you connect your client device to your server for the first time. Don’t worry about it. In effect, you’re talking to yourself. The certificate is used for encryption. If you can’t talk to yourself, then who can you talk to.
Start with your router.
You shouldn’t need to open any ports on your router. The RADIUS network communicates behind the router. Nothing will come in from the internet. Thus, the router won’t need to let traffic on a particular port (in this case port 1812) through.
Each router will look different but the steps involved should be quite similar. Find the wireless security screen, select WPA2/Enterprise. Enter the IP address for the RADIUS server, in this case the QNAP device. Finally, type in a shared secret. The router and QNAP server will use the shared secret to identify each other. Individual users will not need to know the shared secret. This is a secret between the router and the server, only.
Open up QNAP administration. Go to the RADIUS server page and enable the RADIUS server.
Identify the router, a.k.a. client, type in its IP address, the prefix length (which is probably 24 if your IP address looks anything like the one below), and your shared secret.
After you’ve defined the client, you see this.
Create RADIUS users.
After you’ve identified the RADIUS users, you see this screen. You’re done configuring the QNAP device.
Go to your Windows PC. Select the SSID that corresponds to your wireless RADIUS network. Sign in.
You’ll probably get a security warning about the certificate. Ignore it unless you believe you’re really in a network attempting to spoof your network (not too likely). Click Connect.
These are the Details associated with the warning above. (In this case, I used a Windows Server domain certificate that I exported from IIS. I used OpenSSL to split the certificate from the private key and imported both into my QNAP drive.)
After connecting, you can see this screen from the wireless network properties. If you look a little deeper into the security settings, you’ll see MS-CHAP v2 authentication is involved in the process. Yes, I’ve hectored readers about the inherent issues with MS-CHAP v2. Don’t worry. MS-CHAP v2 security problems involve PPTP VPN connections ONLY. MS-CHAP v2 in this configuration is safe. The vulnerable parts are encapsulated in an encrypted tunnel. If someone can break through the tunnel encryption, then the MS-CHAP v2 vulnerabilities appear.