Reduced IT burden, increased security for the smaller enterprise: The overall IT burden for small businesses has grown ever larger, which is why it's heartening to see the latest in an ongoing series of efforts by Wi-Fi-related software developers and Wi-Fi hardware manufacturers to provide enterprise-style network offerings with small-business pricing and knowledge in hand.
Elektron from Corriente Networks is a proud member of that family of goods. This RADIUS server is designed with one purpose in mind, rather than the Swiss Army knife approach of Windows 2003 Server or Mac OS X Server: Elektron secures wireless networks using WPA (Wi-Fi Protected Access) Enterprise, a flavor heretofore out of reach of those who couldn't spend thousands of dollars on server software and wanted the largest array of standard 802.1X client support.
WPA Enterprise uses a secured login for each user that's coupled with a unique, regularly updated, long encryption key. This eliminates the problem of a shared key being stolen or socially engineered out of an employee. It also avoids having to enter a new key on every computer on the network whenever the shared key needs to be changed. WPA Enterprise rotates around identity instead of a key.
By using a robust WPA key that's unique, the wireless network layer can be virtually assured of full protection from snoopers. The same amount of care needs to be taken with physical intrusion, in which a cracker gains access to the Ethernet network, but it eliminates over-the-air risks.
Elektron brings this to a small office using standard protocols and software and a server that works under both Mac OS X 10.2.8 and later and Windows XP, 2000, and Server 2003.
Read the rest of this review after the jump...
Elektron in Context
WPA Enterprise combines 802.1X/EAP, a method of exchanging credentials with an authentication server over a network that restricts access to untrusted parties, with WPA, the latest and greatest method of encrypting Wi-Fi traffic.
More robust 802.1X servers offer more options but also cost about 10 to 100 times as much depending on the number of users. Elektron is $299 for unlimited users, while software software from Funk, Meetinghouse, Microsoft, and others offer a full spectrum of policy and account management coupled with (except Microsoft) a broad range of client-side support at prices that start at about $2,500 for 10 to 50 users depending on the product.
The more expensive servers bring with them the cost of integrating into existing infrastructures for policy management and directories, although they can stand alone, too. But a trained network administrator is needed.
Elektron by contrast requires a computer literate employee who can enter the right values for local network settings. Elektron's computational demands are minimal, allowing it to be run on existing hardware with no noticeable load even on busy wireless networks. The transactions it conducts are brief and infrequent.
(Similar small- to medium-sized office products have been previously reviewed or covered here at Wi-Fi Networking News, including WSC Guard and BoxedWireless, hosted service solutions, and LucidLink, an in-house server. The hosting service charge monthly rates by user; LucidLink is a one-time fee based on simultaneous users.)
If the Elektron server is installed on a file server (Mac OS X) or a domain controller (Windows), it can pick up local user accounts. Otherwise, accounts must be entered by hand. The company said via email that they have the ability in future or higher-end versions to tie into existing RADIUS directories or consult SQL databases.
Corriente also simplifies matters while improving security by only supporting WPA Enterprise, which is the combination of 802.1X and a TKIP (Temporal Key Integrity Protocol) key found in Wi-Fi Protected Access (WPA).
The Elektron server also supports only the two most popular flavors of secured Extensible Authentication Protocol (EAP), namely EAP-TTLS (Tunneled Transport Layer Security) originally championed by the now agnostic Funk and Meetinghouse, and PEAP (Protected EAP) in Microsoft's flavor of the standard.
Clients supporting EAP-TTLS and PEAP are built into Windows XP, Mac OS X 10.3, and some version of Unix. They can be purchased as stand-alone client software from Funk and Meetinghouse for about $40 each. Funk supports a range of Windows platforms and Pocket PCs; Meetinghouse offers Windows plus Mac OS X 10.2, Solaris 8, some Linux flavors, Palm, and Zaurus.
Getting Set Up with Elektron
Elektron involves a very simple installation under Mac OS X and Windows. After installation, the Elektron Settings application controls the server's features.
Each access point on a network must be configured to point to the Elektron server, which needs to be installed on a machine that has a static IP address, although for LANs, this address can be a private NAT address. The Access Points pane of the settings program lets you enter a shared password which is then used on each access point to exchange data with Elektron.
The Restrict Access Points to Local Network checkbox when checked keeps Elektron local; uncheck it, and remote offices can use Elektron for authentication. But remember that a routable IP address is needed in that configuration, that you're opening up Elektron to potential external attack, and that losing Internet access in a remote location means losing all subsequent access to the WLAN--users that have authenticated can remain on the network but new users can't join until access is restored.
Most access points, whether the cheapest or most expensive, have a configuration option for RADIUS servers that ask for the IP address and shared secret. Enter the Elektron server computer's address and the password entered in Access Points. Reboot the server and check the Elektron logs (in the Server Logs pane) to confirm that you entered the correct information. You will need to reconnect to the access point via its wired LAN port to reconfigure it if the settings were incorrect.
The Identity and Certificates panes of Elektron Settings constitute its strongest and potentially most confusing features. Both PEAP and EAP-TTLS require the use of digital certificates to allow the client to be sure it's talking to the right server; the client's credentials let the server know it's a legitimate client.
The problem with digital certificates is that you have to pay yearly fees for them: they're cheap from companies like GoDaddy.com and expensive from VeriSign. But for most WLAN networks, a self-signed certificate is good enough—it doesn't need the third-party vouching that the paid certs provide since you're creating it yourself and hopefully trust yourself.
Elektron lets you create both certificates and certificate requests in the Certificates pane, which streamlines the process of what can often be a text-based, command-line operation. (The Elektron Setup Assistant helps import external certificates even after your initial setup.)
If you use Elektron's own signing authority, the Identity tab lets you export the root certificate that's required by 802.1X clients to authenticate Elektron for PEAP and EAP-TTLS.
Here's where Corriente shines: they offer you four buttons to export the information; two of them create installation programs for Mac OS X and Windows 2000/XP. This is an extraordinarily simple way to create the out-of-band trust needed for these kind of transactions without the fees associated with third-party certificates.
After installing the necessary certificates in your clients, you use the Accounts pane to either setup accounts just for Elektron's use or use the accounts for the operating system under Windows XP or Mac OS X. If you use ActiveDirectory and install Elektron on either a primary or backup domain controller, it can pick up those accounts integrating it and making it much more scalable.
With all of these pieces in places, a user launches their 802.1X client, selects the protected wireless network, enters their username and password, and clicks Connect. And they're protected.
Measuring Up
Elektron's limits come from its strengths of simplicity and singlemindedness. If you need to integrate existing directory services with 802.1X, then you need enterprise-scale AAA products. If you need to enter hundreds of users and maintain redundant RADIUS servers, other solutions exist. If you don't want to run software in house or deal with certificates or account creation, then one of LucidLink, WSC Guard, or BoxedWireless might better serve your needs.
But for an office of 10 to 50 users, the fixed cost for unlimited users and relative simplicity of Elektron stack it up nicely against its slightly more expensive low-cost brethen and its enterprise cousins.