Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

I’m trying to understand the feasibility issues around installing a RADIUS server on my Raspberry Pi or using one of my ZyXEL WAPs as a RADIUS server, something which they have built-in support for. One thing that I don’t understand though, is the importance of boot-up time. If someone uses RADIUS to power users’ authentication by WAPs then you don’t want a RADIUS server to take 5 mins to boot. And for 802.1x it’s probably even worse. My ZyXEL takes well over four minutes to boot after a configuration changes have been made, but I should do some better benchmarking than that, yet I presume that the results will simply be a different kind of silly, not sub-5 seconds anyway.

How do other people cope with the problem of boot-up time and initial non-availability ? Especially if they’re using 802.1x?

I would assume that I would be mad not to have two servers too, no?

[tubaman]

I thought that RADIUS systems were used by companies to verify users onto their network. Having one on a home network seems like overkill and rather a lot of administrative effort for little gain.

[meritez]

From 2 years ago:
https://picncrypt.com/2020/06/24/radius-server-with-the-raspberry-pi/

From 10 years ago:
https://me.m01.eu/blog/2012/05/wpa-2-enterprise-from-scratch-on-a-raspberry-pi/

other stuff:
https://itssc.rpi.edu/hc/en-us/articles/360030705152-Joining-a-Raspberry-Pi-running-the-OS-Raspbian-Jessie-to-the-RPI-wpa2-wireless-service
https://community.ui.com/stories/EdgeMAX-lite-with-raspberry-pi-radius-server/608188d0-34b3-4884-925d-3c6d903ba481
https://linustechtips.com/topic/1020967-raspberry-pi-radius-server-for-wpa-enterprise/
https://sites.google.com/site/strangemovement/raspberry-pi/04---install-and-configure-wpa2-enterprise

[Weaver]

Tubaman, I hear what you say. This isn’t a home network, but a (very) small business one, for my wife’s business. Dealing with various classes of guests has become a pain and having to change passwords using PSK is a real nuisance. So your argument, while quite valid, can also be turned on its head. That doesn’t make much sense now I read it back.   As you say, it’s partially about administrative effort.

The thing is, I already have two RADIUS servers anyway, they came for free in my ZyXEL WAPs. It’s the boot time issue that has prevented me from using them, that and another centralised point of failure, although as I said, I do have two of them. If you have two for reliability, how on earth do you keep them in sync ? Or is there a built-in syncing feature in the server protocol? Ashamed to say, I haven’t done any reading up yet. Things-to-do-list.

[tubaman]

Perhaps a silly question but why do you ever need to change passwords on the guests network, as surely once they have left the premises it really doesn't matter if they still know the password as it's of no use to them.

[Weaver]

I’m using the word ‘guest’ in a sysadmin / security sense. There are several classes of ‘guests’ so it seems to be turning out. As far as my wife’s real guests as in accommodation customers, many are annual repeat visitors. It may turn out to be the case that using multiple passwords gives more freedom in administrative terms plus finer grained security, and changing passwords is such a hassle that it may be that RADIUS turns out more administratively convenient than simply having PSKs only. And of course as you know, for wireless, having many SSIDs per radio is an incredibly bad idea because of the performance degradation, best practice being four max per radio. I used to have three SSIDs on one WAP, recently deleted one after a redesign, so now it’s three max.

[meritez]

sounds like radius profiles would work out for you.

[Weaver]

Exactly.

But what happens about silly boot times? Don’t you you need authentication availability right now, no waiting, on network startup? And isn’t it even worse, much worse, if you’re linking it to 802.1X ?

If someone has a *nix box, or a Windows Server box providing RADIUS, that will take forever to boot up, and so what is supposed to happen about authentication availability for WAPs or 802.1X during that time? I don’t have a picture of how that kind of setup is supposed to work.

[XGS_Is_On]

Things can't authenticate briefly. Existing connections will work as expected. If it's a very small business you're doing this for I'm not sure a cluster, which is what you'd be looking at, is going to be necessary. You're running a guest house with a few visitors at a time, not a several hundred site, hundreds of rooms per site hotel chain or global enterprise network. The odds of a few minutes of authentication downtime a month coinciding with an authentication attempt are minimal.

Still if you end up getting Aruba kit all over, or even if you don't, Clearpass works well as a NAC solution and clusters nicely.

EDIT: Actually rather than RADIUS wouldn't an open SSID with a captive guest portal alongside Opportunistic Wireless Encryption be more what you're looking for?

[Weaver]

Thank you so much for the reading matter.