/ radius

WPA2 Enterprise Authentication using IronWifi

When I was setting up a secondary network far from home, I quickly realized that I could not authenticate to Active Directory using IPv4 due to my AD server being behind a NAT router and Microsoft not supporting AD over NAT. That's fine, I can just use IPv6. Except... my router doesn't accept an IPv6 address for the RADIUS server. Now I could keep using regular WPA2-PSK, but the OCD in me would not accept that as a definite answer. I had a taste of WPA2 Enterprise, and I want to keep it.

Enter IronWifi. I am part of the lucky ones who have one of those grandfathered free Google Apps domains, and I was looking into a solution that would allow me to perform RADIUS authentication using Google Apps accounts since that sounded like a simple enough alternative. There are some paid solutions out there, but as a regular hobbyist I was not looking at a solution that supports hundreds of users.

Summary

IronWifi had a free plan which exactly fit my needs: one AP, and up to 10 users. The set up is plain simple, and I had the option to manually add my users or use a Google Apps connector. I chose the latter, and IronWifi was instantly able to sync the accounts and auto-generate passwords for RADIUS authentication. Some might have preferred having their users being able to login with the same credentials they use for Google Apps instead of having to remember two sets of passwords, which admittedly could be confusing, but as they are a third party I prefer having things this way.

User management

Now having to remember two sets of passwords could be annoying, but they also offer the option of generating (and sending) client authentication certificates. Which is something I did not have in my original WPA2 Enterprise setup (to be fair it could probably be easily added). What really struck me was the simplicity of the whole configuration process, while still giving the user enough control.

I loved the simplicity, but one of the reasons I was reluctant to use a third-party in the first place was that I'm not in control. IronWifi is based in the USA, which is a horrible thing considering the current situation over there. They are no Apple, so they are likely to be more easy for the feds to blackmail "negotiate" with. Though nothing will start if we keep doubting, and so far nothing I haven't heard anything bad from IronWifi. I do believe the risk is small here, since IronWifi only serves to authenticate WiFi clients.

Another potential issue I am having is that while the free plan only provides 1 AP, since I use both a 2.4 GHz and a 5 GHz WiFi network, two MAC addresses are auto-detected by IronWifi. At the time of writing I have yet to be contacted for exceeding my free allowance, but should they treat it as 2 APs I will likely have to remove the 2.4 GHz one.

Having to manage two different sets of password can indeed be cumbersome for larger organizations. The auto-generated password can be changed, but that can only be done by the administrator. Using certificates seem to be the way to go, but it still requires an administrator to make the steps. Perhaps having an admin API, allowing administrators to script those steps could alleviate that pain. I however see the necessity of it on a free plan, so this could be something they should consider for paid plans.