Several popular WLAN infrastructure vendors include lightweight RADIUS servers directly in their access points. These lightweight servers are typically designed for use by vendors as a backup solution in the event that connectivity to an off-board RADIUS server is lost.
I recently had the opportunity to speak with a WLAN network administrator and we briefly discussed the merits of using an integrated RADIUS server on APs vs using an external RADIUS server for authentication. After thinking about it for a few days, I realized that relying solely on the integrated RADIUS server for wireless authentication is rarely a good idea.
- Integrated RADIUS servers on APs are typically minimal servers that are designed to serve a small number of clients. If the WLAN network grows in size, the number of users that will need to be configured could easily exceed the limits of the integrated RADIUS servers.
- Some integrated RADIUS servers do not offer support for accounting services. This can be either a non-issue or a serious disadvantage depending on the purpose of the WLAN.
- Integrated RADIUS servers typically use proprietary local database engines/management interfaces to administer the user database, which makes it difficult to do certain operations like import/export user databases between APs or switch to APs from a different vendor.
- Standalone RADIUS servers offer advanced capabilities such as integrating with LDAP or Exchange servers to provide single sign-on capabilities. Integrated RADIUS servers in APs don’t have such capabilities due to the complexities and necessary protocol support required to interact with other authentication servers.
- Integrated RADIUS servers can only support the EAP methods that are built into it, restricting the set of EAP methods that can be used in the WLAN. Standalone RADIUS servers can typically support a much larger number of EAP methods and therefore provide the WLAN administrator with a great deal of flexibility. Note that APs which are acting only as a NAS are only relaying EAP messages between clients and the RADIUS server and therefore don’t need to have support for the different EAP types built-in.
However, even with all of the advantages a standalone RADIUS server offers over an integrated RADIUS server, there are some compelling advantages of the integrated solution: the integrated server is likely only to fail when the AP itself physically fails, the authentication sequence may be slightly faster since there is no extra hop between the AP and a RADIUS server, and of course it doesn’t require any additional capital expense for your network. In short, the decision between a integrated and standalone server solution should carefully consider short term and long term costs/network growth as well as flexibility in supporting both existing and future requirements of the network.
Hello,
For me a integrated Radius seems the ideal solution. The reason is: -i only need 30 Account -i need a authentification feature -i dont want to pay extra money to a Radius Service Provider nor do i want administrate a Radius by myself. My problem is that i can not get an overview or find really integrated wlan routers/ap’s. At a nearer look most just have Radius support. Can you recommend or point me to some real integrated Radius WLA N Routers?
Hi Gerd,
Understood; for such a small amount of users you shouldn’t need a separate RADIUS server (although I will point out that FreeRADIUS is a very small and simple RADIUS server to use and is of course free open source software). If you are looking for enterprise WLAN equipment (with the corresponding hefty price tag), I know that Motorola’s Symbol division makes some nice WLAN switches (RFS 7000/5500) which have a built in mini-RADIUS server. With that particular switch, you can also configure the internal RADIUS server to proxy to an external server in case you outgrow the capabilities of the internal server. I’m pretty sure Cisco has such a device as well, but I don’t have any personal experience with it.
From an open source perspective, the Linksys WRT-54GL line of WLAN routers all have a Linux kernel on them which means you can install an open source WLAN firmware such as Tomato or DDWRT. You could then build a mini-version of FreeRADIUS to run directly on the device.