Chapter Contents
What You Will Need
There are three main components in a secure wireless network: clients, access points, and the Elektron server that provides authentication services on the network. Each has its own requirements:
Elektron Requirements
An always-on computer running either:
- Windows XP Professional
- Windows Server 2003
- Windows Vista
- Windows 7
- Windows Server 2008
- Mac OS X 10.5 or later
This machine that hosts Elektron must be connected via the wired ethernet network. Elektron cannot provide services to the wireless network if is itself connected via the wireless network.
Wireless Client Requirements
For Windows clients, Windows XP with the latest service packs installed and a WPA-capable Wi-Fi card are required. For Mac OS X users, Mac OS X 10.3 or later and an AirPort or AirPort Extreme card is required. Elektron uses standard RADIUS/802.1X authentication, so other WPA Enterprise clients are likely to work as well.
Access Point Requirements
Access points that will use Elektron services must support WPA Enterprise security. Many of the access points available today support WPA Enterprise, since the Wi-Fi Alliance has been requiring this support as part of their “Wi-Fi Certified”program. The Wi-Fi alliance maintains a list of Wi-Fi Certified access points at their web site, http://www.wi-fi.org. Popular recent access points from makers like Linksys, D-Link, Cisco, and Apple fulfill this requirement.
Installing Elektron
Mac OS X
Find the downloaded Elektron-2.x.x.dmg file and double-click it. This will mount the Elektron disk image on your desktop. To install Elektron, drag the Elektron Settings application to your Applications folder. The first time you launch Elektron Settings, you will be prompted to install the server components.
Your Elektron installation is split into two parts: the Elektron Settings application, and the server components. On your server, both pieces are installed. You may optionally install Elektron Settings on a desktop computer in order to remotely administer your Elektron server. In this case, do not select the option to install the server components on the desktop computer.
Initial Configuration
After the file installation completes, launch the Elektron Settings application to begin configuring your server. On first launch, the Elektron Setup Assistant will be shown. This wizard provides a guided, step-by-step initial configuration of your Elektron server.
Serial Number
The first item the Elektron Setup Assistant asks for is your serial number. Enter the serial number you received at the time you purchased Elektron or registered for an evaluation license. For users who purchased Elektron on physical media, your serial number can be found on the back of the CD case.
Optionally, you may begin a 30 day evaluation by leaving the serial number field blank or by obtaining an evaluation serial number from our website at http://www.periodiklabs.com/. During the evaluation period, all Elektron server functions will be available. At the end of the evaluation period, you will need to purchase a non-expiring serial number.
Access Point Password
Elektron secures communications with your network’s access points by means of a shared secret, i.e., a password or passphrase. You will need to enter this password here in the Elektron Setup Assistant, as well as on each of the access points that will be used on your network. You will need to enter the password here exactly as it will be entered on your access points. Access point passwords are case-sensitive.
Digital Certificate
Every Elektron server needs a digital certificate which it uses to identify itself to wireless clients. During this portion of the configuration, you will be prompted for several pieces of information identifying your organization and server machine. Once this information is entered, you certificate will be created.
For the majority of users, accepting the “Create a new certificate hierarchy” option is the best combination of security and convenience. With this option, the Elektron Setup Assistant will prompt you for information about your organization and automatically generate a certificate hierarchy based on this information. Users with advanced PKI needs can select one of the other options as suits their needs, including integrating with an existing PKI or using an external CA such as Verisign. If you choose to go this route, be sure that the CA selected is capable of generating certificates compatible with WPA usage: some WPA clients (like the Microsoft Windows client) require specific certificate extensions to be present in order to correctly authenticate the server.
After your certificate is created, configuration is complete. Your Elektron server is up and running and ready to accept incoming authentication requests.
On the final page of the Elektron Setup Assistant, you are told of the option of saving your digital certificate in several different formats. These are needed in order to complete the configuration of clients that will be accessing your Elektron-protected Wi-Fi network. Clients use the Elektron digital certificate to confirm that they are communicating with a trusted server. You should export your certificate and distribute it to your wireless clients. If you choose to continue without saving the certificate at this point, you can always save it later from the “Server Certificate” pane in the Elektron Settings application.
Some clients, such as the Mac OS X and Windows Vista clients, allow a user to connect to Elektron without having previously installed the Elektron digital certificate. In this case, a warning to the effect of “the server presented an unknown certificate, do you want to trust it anyway?” is presented to the user. Distributing the certificate to the user prior to the first login attempt will avoid this message, in addition to providing greater security.
To distribute the Elektron digital certificate to users, you can burn the installers to a CD that can be moved around to each client machine for its initial configuration. Another good option is to copy the installers to a keychain USB flash drive, and use the drive to install onto client machines.
Configuring Access Points
Each access point on your network must be configured to use your Elektron server for user authentication and encryption key generation.
How to configure your access points will depend on what make and model of the units you are using. Consult your manufacturer’s documentation on how to configure your specific access points.
The changes that need to be made to the access point configuration are:
Security Type
Depending on your access point maker, this may be called “WPA Enterprise”, “WPA-802.1X”, “WPA-RADIUS”, or something similar.
RADIUS Server
Configure these settings to point to your Elektron server. You will need to enter your server’s IP address and possibly the port on which the server is running. By default, Elektron uses port 1812.
Shared Secret
This is the password use to secure communications between Elektron and the access point. Enter the shared secret with which you configured Elektron during the Elektron Setup Assistant process.
Some access points may allow more than one RADIUS server to be configured. This is to allow for fail-over in the event that the first RADIUS server is unavailable. You may choose to run multiple copies of Elektron running on different machines to provide this additional service, but you will need an additional license for each server deployed. For most small business networks, a single Elektron server will be sufficient.
AirPort Express and AirPort Extreme
Before beginning with your AirPort Extreme base station, note that there are problems with AirPort Extreme firmware version 5.5. For more information, see our online knowledge base article at:
http://www.periodiklabs.com/support/index.php?pg=kb.page&id=9
Configuring either AirPort Express or AirPort Extreme base stations for WPA Enterprise security using Elektron is simple. Follow these steps to configure your base stations:
- Launch the AirPort Admin Utility (located in /Applications/Utilities)
- From the “Select Base Station” window, double-click the name of the base station to be configured
- Enter the administrative password for the selected base station
- On the left hand side of the resulting window, click the “Show All Settings” button
- Click the “Change Wireless Security Options” button
- Select “WPA Enterprise” as the Wireless Security option
- You may be warned about your computer not being WPA capable. It is alright for the Elektron server computer to not be WPA capable: Elektron does not use the WPA protocol to communicate with your access points (it uses RADIUS, which in turn enables WPA for clients).
Enter the following values for Primary RADIUS Server (you may leave the Secondary RADIUS Server settings empty):
IP Address The IP address of the computer running the Elektron server
Port Enter the number “1812” (without the quotes, of course)
Shared Secret Enter the password you created when running the Elektron Setup Assistant, as described above in “Access Point Password”
Verify Secret Retype the password
Note that only AirPort Express and AirPort Extreme base stations are supported. Original graphite or snow AirPort base stations do not support WPA security.
Configuring Wireless Clients
Wireless clients that will be utilizing your secure network will require some configuration in order to join the network. This includes installation of the certificate authority’s digital certificate on the client machines. For detailed information on how to configure both Windows and Mac OS X clients, see the chapters: