Category: How-to

Enabling 802.1x Security on Verizon FiOS

In this post we will explain how to configure your Verizon FiOS service to use IronWifi Radius server. We used the Actiontec MI424WR Rev I Wireless-N Router.

First you have to access the router administration page. By default, the web interface is available on

To authenticate to the web interface, use credentials printed on your wireless router.

Router Administration Login Page

With valid authentication credentials, you should see the Main configuration screen.

FiOS router main administration screen

Proceed to the Wireless Settings by clicking on the button in the navigational bar.

Verizon Wireless Network Settings

In the Wireless Settings screen, click on the Advanced Security Settings link and select WPA2 as your Level 1 protection.

Advanced Configuration of Wireless Network Settings

On the next screen switch 802.1X authentication method

Wireless Network Authentication Method

Enter Radius settings as displayed in your IronWifi console.

Configuring Radius Server settings on Verizon router

Click on the Apply button and wait while new settings are applied.

Applying New Authentication Settings

If necessary, delete old wireless network profile so a new profile can be created.

Deleting Old Wireless Profile

SSH Authentication Using Hosted RADIUS

In this post, we will show how simple it is to configure your Linux server to use credentials stored in your cloud RADIUS.

Firstly, install necessary development tools so we can compile the authentication module.


yum install gcc pam pam-devel make -y


apt-get install make libpam0g-dev


After it’s finished, we will download the source code of the pam_radius package from the original FTP server.


Untar it, move to its directory and compile it:

tar xvzf pam_radius-1.3.17.tar.gz
cd pam_radius-1.3.17

A new file called “” should be created.

In CentOS and if you are on the x86_64 arch, copy this file to /lib64/security folder. If you are still on the x86 arch, you want to copy this file to /lib/security/ folder.

On Ubuntu copy the file to /lib/x86_64-linux-gnu/security/.

Now open up /etc/pam.d/sshd and add the just before the top line like below in CentOS:


auth required
auth sufficient
auth include password-auth
account required
account include password-auth
password include password-auth
# close should be the first session rule
session required close
session required
# open should only be followed by sessions to be executed in the user context
session required open env_params
session optional force revoke
session include password-auth

In Ubuntu we open up /etc/pam.d/sshd and add the line at the very top like below, in Ubuntu we also need to comment this line @include common-auth to look like this #@include common-auth, see below:


# PAM configuration for the Secure Shell service

auth required

# Read environment variables from /etc/environment and /etc/security/pam_env.conf.
auth required # [1]

# In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well.
auth required envfile=/etc/default/locale

# Standard Un*x authentication.
#@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account required

Save it and create a directory called “raddb” in /etc/ – you also want to create a file called “server” and place this into the folder you just created “raddb.”

Edit the file “server” and add the following:

mkdir /etc/raddb

echo "your_radius_ip:radius_port your_radius_secret 3" > /etc/raddb/server

So it would look something like this: dfk34Jdf 3

Now you should be able to access your Linux box with credentials managed in the Cloud RADIUS.

The last thing that has to be done is create a user on the local system like below:

useradd -d /home/user1/ user1

We don’t add any password for this user, this is where Hosted RADIUS comes in, you will need to use a password match in IronWifi RADIUS for this username.

3 Simple Steps To Secure WiFi

In this short guide, we’re going to go through 5 steps to secure a home wireless network.

Step #1 – Change router’s default password

A) If you’ve never logged into your wireless router, look up the make and model of the router, and find the default IP Address, username, and password, then log in.

B) For example, if your wireless router has a default IP Address of, default username of admin, and default password of blank. Login by doing the following:

  1. Open Internet Explorer and type in the address
  2. When prompted, the username would be admin, and the password would be blank.

C) If the router’s password is still set to the default password, it is important to change this password to something else to keep an intruder from effectively kicking you off of your own network.

Step #2 – Disable SSID Broadcasting

This option decides whether people can or cannot see your wireless signal. This is not necessarily recommended because although this will keep your network invisible to the common nosy neighbor, it will not protect your network from any serious hackers. It can also make setting up your own devices on your wireless network more difficult. So, it’s good to know how this works, but always use encryption and don’t rely on just disabling SSID broadcasts to keep your network secure.

Step #3 – Enable Encryption

It’s important to use encryption on your wireless network. Not only does it keep intruders off of the network, but it also keeps eavesdroppers from listening in on your network traffic. The two major types of wireless encryption are listed below. Please also note that any encryption enabled on the wireless router must also be enabled on each Wireless Device that needs to connect to the internet.

  1. WEP – This is still the most common type of encryption enabled on most wireless routers. Please note that this can be broken by serious hackers in about 2 minutes, but will keep out most neighbors and passerby.
  2. WPA2-PSK – This is becoming the most common type of encryption and is enabled on most new wireless routers. WPA2 is more secure than WEP but can be compromised by brute-forcing your password.
  3. WPA2-Enterprise – Also called 802.1x, it uses session passwords generated each time your device connects to the network. This security mode has not been compromised yet, but is not available on some older types of Wireless Devices.


If you decide for the WPA2-Enterprise security mode, IronWifi will act as a guard verifying identity of users and devices connecting to your Wireless Network. Without this service, people could get in by breaking WEP encryption, faking through a MAC Filter, brute-forcing your WPA2 password, or by good old fashioned hard line plugging into your router directly instead of connecting through the wireless. Taking control of connecting devices is the final step in securing a Wireless Network.

Protecting CLEAR's 4G wireless network with RADIUS

CLEAR is popular 4G wireless internet provider in the United States. It provides internet connectivity by using a 4G wireless modem that also acts as a wireless access point. Unfortunately, currently, the safest supported wireless security mode is only the WPA2-PSK. In this post we describe procedure of securing CLEAR’s wireless network with better, RADIUS powered, WPA2-Enterprise security mode.

Firstly, we access modem’s administration interface by opening from a web browser. After successful authentication, modem welcomes us with the following Welcome screen.

CLEAR 4G Welcome Screen

To verify available Wireless Security Settings, let’s click on the Basic -> Wi-Fi -> Advanced buttons.

Clear Modem Wireless Security Settings

As you can see in the picture above, this modem supports authentication only with the pre-shared keys and not more secure WPA2-Enterprise mode. For WPA2-Enterprise, it is necessary to add another wireless router, to create new RADIUS powered wireless network.

Connecting TP-Link router to CLEAR’s modem

CLEAR will remain our provider of internet connectivity and we connect the TP-Link router to the modem with provided Ethernet cable and turn the router on. It is important to plug the Ethernet cable into the blue network port (uplink).

CLEAR modem connected to TP-Link

Next, we connect computer to new wireless network provided by TP-Link and follow initial configuration instructions. During this procedure, the router will ask to enter a PIN number, that is printed on the sticker on the bottom side of the router.

TP-Link initial setup


In next step, we select the Wireless Security type. At this moment, not all security options are available, so we select the WPA2-PSK security mode, type in some temporary pre-shared key and finish this configuration.

Creating virtual RADIUS server and user’s accounts

Now, let’s go to to define our Network and create accounts for our Users. After signing in, all we have to do is follow Configuration Wizard, which provides all required information in the last page’s summary. We keep this page open, so we can use the values in next step.

RADIUS Configuration Wizard Step3

Configuring TP-Link router to use WPA2-Enterprise security mode

Let’s go back to the TP-Link router to change wireless security settings. TP-Link’s web administration interface is available at, and it will prompt to enter default credentials; username is admin and password is admin too.

Router's Interface login


After accessing the Wireless Security Settings, we switch the Wireless Security type to WPA/WPA2 and enter information from the IronWifi Console – the RADIUS server IP address, Port, and Shared Secret.

Routers wireless security settings


Finally, save new settings and restart router.

Connecting with user’s credentials

Finally we connect our client devices to the new Protected Wireless Network using user’s credentials defined in Console. For us it works like a charm,  but if you still have connecting issues, please follow our documentation for your specific platform.

Solving Access-Reject Issues

This article provides some tips if you are seeing authentication requests being rejected by the RADIUS server.

On Windows platform, one useful tool is NTRadPing Test Utility which can by downloaded from the authors website.

This handy tool produces a simple Authentication Request which will be sent to defined RADIUS server with defined connection parameters and credentials.

In the RADIUS Server reply section, you will see how fast and what response did the server provide. Although it does not support tunneled EAP authentication requests, it can be used to debug basic PAP and CHAP methods.

NTRadPing Screenshot

1. If the answer is Access-Accept, the server accepted your authentication request and you should be able to use the wireless network. If you are still experiencing problems, double-check configuration of your wireless router and client’s device.

2. If you see Access-Reject is the answer from RADIUS server, then there might be multiple explanations:

  • provided credentials might be wrong
  • User might be disabled
  • User’s account might be expired
  • User is trying to log in outside assigned Login Time

3. Another output you might see is the message no response from server (timed out). If this is the case, please double-check RADIUS Server IP address, Port and Secret Key. If values are correct, your firewall might be blocking outgoing requests. Contact your network administrator to verify if outgoing traffic to servers IP address and UDP port is allowed.