Email Delivery

Receive new posts as email.

Email address

Syndicate this site

RSS | Atom


About This Site
Contact Us
Privacy Policy


November 2010
Sun Mon Tues Wed Thurs Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Stories by Category

Basics :: Basics
Casting :: Casting Listen In Podcasts Videocasts
Culture :: Culture Hacking
Deals :: Deals
Future :: Future
Hardware :: Hardware Adapters Appliances Chips Consumer Electronics Gaming Home Entertainment Music Photography Video Gadgets Mesh Monitoring and Testing PDAs Phones Smartphones
Industry :: Industry Conferences Financial Free Health Legal Research Vendor analysis
International :: International
Media :: Media Locally cached Streaming
Metro-Scale Networks :: Metro-Scale Networks Community Networking Municipal
Network Types :: Network Types Broadband Wireless Cellular 2.5G and 3G 4G Power Line Satellite
News :: News Mainstream Media
Politics :: Politics Regulation Sock Puppets
Schedules :: Schedules
Security :: Security 802.1X
Site Specific :: Site Specific Administrative Detail April Fool's Blogging Book review Cluelessness Guest Commentary History Humor Self-Promotion Unique Wee-Fi Who's Hot Today?
Software :: Software Open Source
Spectrum :: Spectrum 60 GHz
Standards :: Standards 802.11a 802.11ac 802.11ad 802.11e 802.11g 802.11n 802.20 Bluetooth MIMO UWB WiGig WiMAX ZigBee
Transportation and Lodging :: Transportation and Lodging Air Travel Aquatic Commuting Hotels Rails
Unclassified :: Unclassified
Vertical Markets :: Vertical Markets Academia Enterprise WLAN Switches Home Hot Spot Aggregators Hot Spot Advertising Road Warrior Roaming Libraries Location Medical Public Safety Residential Rural SOHO Small-Medium Sized Business Universities Utilities wISP
Voice :: Voice


November 2010 | October 2010 | September 2010 | August 2010 | July 2010 | June 2010 | May 2010 | April 2010 | March 2010 | February 2010 | January 2010 | December 2009 | November 2009 | October 2009 | September 2009 | August 2009 | July 2009 | June 2009 | May 2009 | April 2009 | March 2009 | February 2009 | January 2009 | December 2008 | November 2008 | October 2008 | September 2008 | August 2008 | July 2008 | June 2008 | May 2008 | April 2008 | March 2008 | February 2008 | January 2008 | December 2007 | November 2007 | October 2007 | September 2007 | August 2007 | July 2007 | June 2007 | May 2007 | April 2007 | March 2007 | February 2007 | January 2007 | December 2006 | November 2006 | October 2006 | September 2006 | August 2006 | July 2006 | June 2006 | May 2006 | April 2006 | March 2006 | February 2006 | January 2006 | December 2005 | November 2005 | October 2005 | September 2005 | August 2005 | July 2005 | June 2005 | May 2005 | April 2005 | March 2005 | February 2005 | January 2005 | December 2004 | November 2004 | October 2004 | September 2004 | August 2004 | July 2004 | June 2004 | May 2004 | April 2004 | March 2004 | February 2004 | January 2004 | December 2003 | November 2003 | October 2003 | September 2003 | August 2003 | July 2003 | June 2003 | May 2003 | April 2003 | March 2003 | February 2003 | January 2003 | December 2002 | November 2002 | October 2002 | September 2002 | August 2002 | July 2002 | June 2002 | May 2002 | April 2002 | March 2002 | February 2002 | January 2002 | December 2001 | November 2001 | October 2001 | September 2001 | August 2001 | July 2001 | June 2001 | May 2001 | April 2001 |

Recent Entries

In-Flight Wi-Fi and In-Flight Bombs
Can WPA Protect against Firesheep on Same Network?
Southwest Sets In-Flight Wi-Fi at $5
Eye-Fi Adds a View for Web Access
Firesheep Makes Sidejacking Easy
Wi-Fi Direct Certification Starts
Decaf on the Starbucks Digital Network
Google Did Snag Passwords
WiMax and LTE Not Technically 4G by ITU Standards
AT&T Wi-Fi Connections Keep High Growth with Free Service

Site Philosophy

This site operates as an independent editorial operation. Advertising, sponsorships, and other non-editorial materials represent the opinions and messages of their respective origins, and not of the site operator. Part of the FM Tech advertising network.


Entire site and all contents except otherwise noted © Copyright 2001-2010 by Glenn Fleishman. Some images ©2006 Jupiterimages Corporation. All rights reserved. Please contact us for reprint rights. Linking is, of course, free and encouraged.

Powered by
Movable Type

« Philadelphia's Plan Slips Release Date | Main | Dartmouth Stays on Wi-Fi's Bleeding Edge »

March 4, 2005

In-Depth Review of Elektron, a Small Office WPA Enterprise Authentication Server

Elektron LogoReduced IT burden, increased security for the smaller enterprise: The overall IT burden for small businesses has grown ever larger, which is why it's heartening to see the latest in an ongoing series of efforts by Wi-Fi-related software developers and Wi-Fi hardware manufacturers to provide enterprise-style network offerings with small-business pricing and knowledge in hand.

Elektron from Corriente Networks is a proud member of that family of goods. This RADIUS server is designed with one purpose in mind, rather than the Swiss Army knife approach of Windows 2003 Server or Mac OS X Server: Elektron secures wireless networks using WPA (Wi-Fi Protected Access) Enterprise, a flavor heretofore out of reach of those who couldn't spend thousands of dollars on server software and wanted the largest array of standard 802.1X client support.

WPA Enterprise uses a secured login for each user that's coupled with a unique, regularly updated, long encryption key. This eliminates the problem of a shared key being stolen or socially engineered out of an employee. It also avoids having to enter a new key on every computer on the network whenever the shared key needs to be changed. WPA Enterprise rotates around identity instead of a key.

By using a robust WPA key that's unique, the wireless network layer can be virtually assured of full protection from snoopers. The same amount of care needs to be taken with physical intrusion, in which a cracker gains access to the Ethernet network, but it eliminates over-the-air risks.

Elektron brings this to a small office using standard protocols and software and a server that works under both Mac OS X 10.2.8 and later and Windows XP, 2000, and Server 2003.

Read the rest of this review after the jump...

Elektron in Context

WPA Enterprise combines 802.1X/EAP, a method of exchanging credentials with an authentication server over a network that restricts access to untrusted parties, with WPA, the latest and greatest method of encrypting Wi-Fi traffic.

More robust 802.1X servers offer more options but also cost about 10 to 100 times as much depending on the number of users. Elektron is $299 for unlimited users, while software software from Funk, Meetinghouse, Microsoft, and others offer a full spectrum of policy and account management coupled with (except Microsoft) a broad range of client-side support at prices that start at about $2,500 for 10 to 50 users depending on the product.

The more expensive servers bring with them the cost of integrating into existing infrastructures for policy management and directories, although they can stand alone, too. But a trained network administrator is needed.

Elektron by contrast requires a computer literate employee who can enter the right values for local network settings. Elektron's computational demands are minimal, allowing it to be run on existing hardware with no noticeable load even on busy wireless networks. The transactions it conducts are brief and infrequent.

(Similar small- to medium-sized office products have been previously reviewed or covered here at Wi-Fi Networking News, including WSC Guard and BoxedWireless, hosted service solutions, and LucidLink, an in-house server. The hosting service charge monthly rates by user; LucidLink is a one-time fee based on simultaneous users.)

If the Elektron server is installed on a file server (Mac OS X) or a domain controller (Windows), it can pick up local user accounts. Otherwise, accounts must be entered by hand. The company said via email that they have the ability in future or higher-end versions to tie into existing RADIUS directories or consult SQL databases.

Corriente also simplifies matters while improving security by only supporting WPA Enterprise, which is the combination of 802.1X and a TKIP (Temporal Key Integrity Protocol) key found in Wi-Fi Protected Access (WPA).

The Elektron server also supports only the two most popular flavors of secured Extensible Authentication Protocol (EAP), namely EAP-TTLS (Tunneled Transport Layer Security) originally championed by the now agnostic Funk and Meetinghouse, and PEAP (Protected EAP) in Microsoft's flavor of the standard.

Clients supporting EAP-TTLS and PEAP are built into Windows XP, Mac OS X 10.3, and some version of Unix. They can be purchased as stand-alone client software from Funk and Meetinghouse for about $40 each. Funk supports a range of Windows platforms and Pocket PCs; Meetinghouse offers Windows plus Mac OS X 10.2, Solaris 8, some Linux flavors, Palm, and Zaurus.

Getting Set Up with Elektron

Elektron involves a very simple installation under Mac OS X and Windows. After installation, the Elektron Settings application controls the server's features.

Each access point on a network must be configured to point to the Elektron server, which needs to be installed on a machine that has a static IP address, although for LANs, this address can be a private NAT address. The Access Points pane of the settings program lets you enter a shared password which is then used on each access point to exchange data with Elektron.

The Restrict Access Points to Local Network checkbox when checked keeps Elektron local; uncheck it, and remote offices can use Elektron for authentication. But remember that a routable IP address is needed in that configuration, that you're opening up Elektron to potential external attack, and that losing Internet access in a remote location means losing all subsequent access to the WLAN--users that have authenticated can remain on the network but new users can't join until access is restored.

Most access points, whether the cheapest or most expensive, have a configuration option for RADIUS servers that ask for the IP address and shared secret. Enter the Elektron server computer's address and the password entered in Access Points. Reboot the server and check the Elektron logs (in the Server Logs pane) to confirm that you entered the correct information. You will need to reconnect to the access point via its wired LAN port to reconfigure it if the settings were incorrect.

The Identity and Certificates panes of Elektron Settings constitute its strongest and potentially most confusing features. Both PEAP and EAP-TTLS require the use of digital certificates to allow the client to be sure it's talking to the right server; the client's credentials let the server know it's a legitimate client.

The problem with digital certificates is that you have to pay yearly fees for them: they're cheap from companies like and expensive from VeriSign. But for most WLAN networks, a self-signed certificate is good enough—it doesn't need the third-party vouching that the paid certs provide since you're creating it yourself and hopefully trust yourself.

Elektron lets you create both certificates and certificate requests in the Certificates pane, which streamlines the process of what can often be a text-based, command-line operation. (The Elektron Setup Assistant helps import external certificates even after your initial setup.)

If you use Elektron's own signing authority, the Identity tab lets you export the root certificate that's required by 802.1X clients to authenticate Elektron for PEAP and EAP-TTLS.

Here's where Corriente shines: they offer you four buttons to export the information; two of them create installation programs for Mac OS X and Windows 2000/XP. This is an extraordinarily simple way to create the out-of-band trust needed for these kind of transactions without the fees associated with third-party certificates.

After installing the necessary certificates in your clients, you use the Accounts pane to either setup accounts just for Elektron's use or use the accounts for the operating system under Windows XP or Mac OS X. If you use ActiveDirectory and install Elektron on either a primary or backup domain controller, it can pick up those accounts integrating it and making it much more scalable.

With all of these pieces in places, a user launches their 802.1X client, selects the protected wireless network, enters their username and password, and clicks Connect. And they're protected.

Measuring Up

Elektron's limits come from its strengths of simplicity and singlemindedness. If you need to integrate existing directory services with 802.1X, then you need enterprise-scale AAA products. If you need to enter hundreds of users and maintain redundant RADIUS servers, other solutions exist. If you don't want to run software in house or deal with certificates or account creation, then one of LucidLink, WSC Guard, or BoxedWireless might better serve your needs.

But for an office of 10 to 50 users, the fixed cost for unlimited users and relative simplicity of Elektron stack it up nicely against its slightly more expensive low-cost brethen and its enterprise cousins.