Chapter Contents

Server Options

The Server Options configuration group in Elektron Settings allows you to configure basic Elektron server parameters.

Elektron Settings

Serial Number

This is the serial number that you received when you purchased Elektron or requested an evaluation license. If your are moving from an evaluation serial number to a full, purchased license, enter your new serial number here.

If you are using an evaluation serial number, the expiration date of the license is displayed and a button that links to our website is present to allow you to purchase the full, non-expiring version.

Remote Administration

You can use the Elektron Settings application to configure an Elektron server installed on another machine on your network. If you do not need to remotely administer your server, you should leave this option disabled.

When connecting to your server from a remote machine, you will be prompted for a username and password. The login you use must match an Elektron account that has the option “User Can Administer Elektron” option enabled.

When launching Elektron Settings on a remote machine, the application will automatically present you with a dialog to enter the Elektron server address, username, and password. You may also choose “Open” from the File menu to connect to a remote instance of Elektron.

The Elektron server uses TCP port 5398 to communicate with the Elektron Settings application. If you have firewall software running on either the Elektron server machine or your remote machine, you may need to configure it to allow connections on this port.

Replication

The Elektron replication feature provides you with the ability to run multiple instances of Elektron while reducing administrative overhead. With multiple server instances, you have the benefits of a redundant backup in the event of a single server failure. Your wireless network can continue to be available while you correct the server problem.

With replication enabled, multiple copies of Elektron can share a single configuration. You configure one Elektron server (the “master” server), and the configuration is automatically replicated to your other Elektron servers (the “slave” servers). Virtually all settings, including service settings, accounts, access points, groups, and policies are included in the replication. Once your replication setup is completed, all configuration takes place on the master server. Slaves will periodically connect to the master to update any settings that have changed since the last time replication occurred. The interval between replication updates is configurable.

Because some settings are required to be unique to each instance of Elektron, the following settings are not replicated:

• Serial Number Each replication master and slave must have its own unique serial number.

• Replication Settings These settings determine whether the Elektron instance is a master or slave.

• IP Address Options Each Elektron instance may run on servers with different IP addresses, so the option to bind to a specific IP address is not replicated.

Replication can take place among multiple hosts. A single Elektron replication master may serve multiple slaves. It also may be hierarchical, with a single server acting as both master and slave, replicating settings from its master and providing those settings to its own slaves. The most common replication setup is two Elektron servers: a single master and a single slave.

All replication traffic is secured using TLS. This protects sensitive server settings such as account passwords while in transit over your network.

Configuring a Replication Master

Replication is controlled using the Elektron Settings pane. To act as a replication master, two options must be enabled: remote administration and the “Act As a Replication Master” option.

To enable remote administration, check the “Enable Remote Administration” checkbox. To complete the replication master setup check the “Act As a Replication Master” checkbox and create a replication password. The replication password will be used by slave instances to authenticate themselves to the master replica (and vice-versa).

If you have firewall software installed on the server, you may need to create a rule allowing access to TCP port 5398, which is used by Elektron for replication.

Configuring a Replication Slave

To configure a replication slave, use the Elektron Settings pane. To begin, you will need two pieces of information: the network address (either the hostname or IP address) of the replication master, and the replication administration password of the master.

Check the “Act As a Replication Slave” checkbox, and enter the master server’s network address and replication password. Select the frequency with which you would like replication to occur. You may set the interval to a value as small as a single minute, but a more typical value is in the 10-15 minute range. Once replication is enabled, the first replication should occur within a minute.

If you experience problems with replication, errors encountered by Elektron will be logged to the configuration services log file. On Windows systems, this log file is located at:

%SYSTEM%\Logfiles\Periodik\configd_error.log

On Mac OS X, this log file is located at:

/Library/Logs/Periodik/Elektron/configd_error.log

Advanced Settings

Primary Server Port

Elektron allows you to select on which UDP port it will provide services. Since Elektron provides RADIUS service, by default it listens for incoming connections on the standard RADIUS port 1812. If you change this port, you will also need to reconfigure your wireless access points to talk to Elektron on the new port.

Secondary Server Port

Some legacy equipment uses UDP port 1645 for RADIUS. If you have any such equipment, you can enable this option to allow Elektron to listen on both ports for incoming RADIUS requests.

Bind the Server to a Specific IP Address

If your server is configured with multiple IP address, you may choose to enter one here in order to limit the availability of Elektron services to just that IP address.

Session Timeout

By enabling this feature Elektron will send a RADIUS “Session-Timeout” attribute along with the session keys when a user successfully authenticates to the server. This value instructs the access point to allow the user to remain connected for a fixed period of time. After that time, the user will be disassociated from the network and will be required to log in again. This increases security by logging out unattended machines and refreshing cryptographic keys on a regular basis.

Not all access points honor the Session-Timeout attribute. If it is not supported by an access point, it will simply be ignored. Consult your access point documentation to determine if your hardware supports this attribute.

You may also configure session timeouts by adding a Session-Timeout attribute using authorization policies. If a connection request has session timeouts set by both the global session timeout value configured on the Advanced Settings panel and by a authorization policy, only the timeout value set by the policy will be applied.

Privilege Separation

The Elektron server can be configured to perform its normal functions as an unprivileged user. This is the default option, and when enabled Elektron will start up startup with full superuser privileges, perform initialization that requires these privileges, and then drop the privileges and accept authentication requests as an unprivileged user. This provides an additional layer of security should a remotely exploitable security flaw be found in Elektron.

Server Certificate

In order to provide trusted network security services to wireless clients, Elektron must be able to cryptographically identify itself to clients. To prove its identity to clients, your Elektron server sends them its digital certificate during the client login procedure. The Server Certificae pane allows you to select the digital certificate that your server will use.

While the Elektron Settings application allows you to view and export digital certificates, the Elektron Setup Assistant is used to add certificates. The Elektron Setup Assistant will walk you through the step-by-step procedures needed to create and install a digital certificate. To launch the Elektron Setup Assistant , select it from the Elektron application menu.

For a detailed discussion of certificates, see the chapter Digital Certificates.

Selected Certificate

This popup allows you to select which digital certificate will be sent to wireless clients. Click “View” button next to the menu to view the details of the selected certificate.

Certificate Authority

Displays the common name of the certificate authority (CA) that issued the selected server certificate.

Export Certificate Authority

There are two digital certificates involved during the wireless login procedure: the server certificate, and the CA certificate.

Wireless clients verify the server’s identity by validating the digital signature on the server’s certificate. In order to validate this signature, the client must already have a copy of the certificate authority’s digital certificate.

You can use the export buttons to transfer the CA certificate to clients. You may export the certificate authority in the following ways:

• Text File Allows you to save the certificate as a simple text file in PEM format.
• DER File Allows you to save the certificate as a binary file in DER format, which is required by some clients, such as Windows Mobile.
• Email Opens your default email client and creates a new email message with the text-encoded certificate in the body of the message.

If Elektron does not have the certificate authority certificate in its database, which can occur if you imported an existing certificate without including the CA certificate, the export buttons will be disabled.