How difficult is it to set up 802.1x authentication? Extreme tester Joel Snyder provides a minute-by-minute account of his 802.1X adventure.
By Joel Snyder
Network World, 04/04/05
Original article on Network World Web Site
Using the 802.1X protocol to secure wired and wireless networks is supposed to be easy. So we grabbed some hardware and servers from our test lab to see how hard it would be in the real world. The challenge: Could we set up 802.1X authentication in one hour or less?
Before diving into any 802.1X project, start by answering the question, "Where is my user-authentication database stored?" You can't design any aspect of 802.1X until you've figured out how you're going to authenticate users. If you're going to use Secure Computing's SafeWord or RSA Security's SecurID or any other one-time password system, you'll need to find a RADIUS server that can talk to that authentication database. In our case, we decided to use our Windows 2000 server's built-in user database.
Start the Odyssey
Once you know where your user data is stored, you can pick an authentication method. 802.1X is a framework that allows lots of ways to actually handle the authentication. If you use usernames and passwords, Protected Extensible Authentication Protocol (PEAP) and Tunneled Transport Layer Security (TTLS ) are the two methods to care about. While similar, there's one huge difference: TTLS can work with one-way encrypted passwords, while PEAP cannot. So for example, if your usernames and passwords are locked up in a Unix-style database, you have to use TTLS. With Windows, passwords are not so tightly secured, and challenge-response authentication methods can be used, which means either PEAP or TTLS would work.
Although TTLS is more flexible, PEAP has one significant benefit: It's built into Windows XP (and is available as a Microsoft update to Win 2000). Because we wanted to get up and running as quickly as possible, we decided to use PEAP as an authentication method, with MS-CHAPv2 (Challenge Handshake Authentication Protocol) inside to carry the actual username and passwords.
With those two decisions made, life suddenly gets a lot easier. The next step is to find a RADIUS server that will talk to your 802.1X devices on one side and to your authentication database on the other. Although Microsoft includes a free one with Win 2000 server, called Internet Authentication Server (IAS), it only runs in a Windows domain environment.
Our server was stand-alone and converting it to be compatible with Microsoft's
IAS wasn't going to happen in one hour. For that reason, we elected to use Funk
Software's Odyssey RADIUS server. Although Funk is known for industrial strength
RADIUS software, Odyssey is a simpler product that does exactly what we needed
and not more. Plus, with a free trial download at http://www.funk.com/,
it fit very nicely into our time requirement.
(Stopwatch: 8 minutes, including reboot)
Calculate the RADIUS
With wireless authentication, it's critical that both ends of the connection authenticate themselves. It's not a very good idea to give your username and password to just any access point that happens to be around. With PEAP and TTLS EAP authentication methods, the RADIUS server identifies itself using a digital certificate. Normally, getting a digital certificate is a long process, but we had a secret: RegisterFly. This little-known registrar sells certificates at a great price ($16 per year), but most importantly, it will issue them immediately. You have to prove that you own the domain name in the certificate, but total elapsed time between hitting their Web site at http://www.registerfly.com/ and getting a certificate for our server was just under 10 minutes. If you don't care about having a trusted root sign your certificates, you can use CAcert (http://www.cacert.org/), which is just as fast and free - although CAcert doesn't have their certificate built into Windows. Because we wanted to go quickly and not worry about how we were going to get the CAcert server certificate to our clients, we opted to spend the $16.
One touchy part of getting the certificate for a RADIUS server to work with
802.1X is having all of the right attributes in the certificate. We used OpenSSL
to generate the certificate request and get everything right. If you have to
install OpenSSL just to request the certificate, that'll add to your time, but
if you've got any Mac or Linux systems around, they'll have OpenSSL pre-installed
and ready to go. Another option, if you have Windows Internet Information Server
Web Server running, is to use the built-in wizard in the IIS management tool.
A certificate that will work for IIS also should work fine for a RADIUS server
because Microsoft stuffs the necessary Extended Key Usage attributes into its
certificate request.
(Stopwatch: 23 minutes)
With certificate in hand, you have to configure your RADIUS server. Although
it won't all be as easy as Odyssey, the information you have to put in is fairly
simple: the IP addresses of the access points, what authentication methods are
allowed and what security policy to enforce. In the case of Odyssey, we turned
on PEAP authentication with MS-CHAPv2, and that was about it.
(Stopwatch: 28 minutes)
Determine the Proximity
With the server side done, your next task is to get the wireless access point ready for 802.1X. It's possible to use "pure" 802.1X authentication, which was the earliest implementation of 802.1X over wireless. With pure 802.1X, you use 802.1X to authenticate, but then plain old Wired Equivalent Privacy for encryption. However, access points that support 802.1X will also support Wi-Fi Protected Access (WPAv1) . A few also will support 802.11i, the IEEE final standard for wireless security, also called WPAv2.
Because WPAv1 is commonly available and considered very secure, your best bet is to dive right into WPAv1 with 802.1X authentication.
Our next step was making our access point 802.1X-aware and building a secure channel between the access point and the RADIUS server. We pulled an access point off the shelf, a Proxim AP-4000 802.11a/b/g device that received high praise in Network World's wireless security test in 2004. With the AP-4000, adding 802.1X authentication requires going to two screens to fill out information. On one we put in our RADIUS server and the shared secret that authenticates the access points to the RADIUS server. If your access point does not have a fairly secure channel to the RADIUS server (for example, if they're not on the same LAN switch ), it's important to pick a nice long shared secret of 20 characters or more.
On the second screen of the AP-4000, we enabled WPA with 802.1X authentication
and rebooted the access point. Because the access point doesn't participate
actively in the 802.1X authentication, you don't have to configure in all of
the miscellaneous 802.1X parameters, such as authentication method, when you
set up the access point.
(Stopwatch: 33 minutes)
Turn on the Inspiron
Because XP already has WPA and 802.1X built in for wireless security, we didn't
have to install any software on the Windows laptop. However, we had to wade
through the XP client configuration menus. These are attached to the wireless
adapter. Our test laptop, a Dell Inspiron with a built-in wireless card, saw
the AP-4000 but didn't know how to connect. By default, Windows will want to
use a digital certificate to authenticate. That's good security, but didn't
fit into our deployment plans. Next, in Windows preferences, is using the credentials
you used to log on to XP - again, not what we wanted. Setting up 802.1X authentication
took clicking on a few property pages.
(Stopwatch: 38 minutes)
One for the Aegis
If you use the built-in Windows client, you'll also have to create instructions for users to add the wireless network to their list of networks. We didn't count that in our time, but our quick cheat sheet would add up to about two pages of instructions. Fortunately, it's a one-time effort, and if you have users already using the Windows wireless client, you've already done about half of the work in getting them set up. For a more elegant solution, you can use a third-party 802.1X and WPA client that lets you easily pre-load profiles.
Most wireless cards include 802.1X capability in their built-in tools, typically using the Meetinghouse Communications Aegis 802.1X client and a vendor-provided configuration GUI. Cisco is one of the few that don't use Meetinghouse, but it does provide its own 802.1X client as part of the Cisco wireless driver kit. The problem with using a third-party client is that not everyone will have the same wireless card, and every vendor makes up its own GUI to drive the 802.1X supplicant configuration. As laptops with built-in wireless approach the 100% mark, you might find that the slightly greater complexity of the built-in Windows client balances out the necessity to maintain instructions for every brand of wireless card anyone has ever bought.
With RADIUS server, access point and client configured, it's time for the smoke
test: Will it work? In our case, the answer was a resounding "no."
We wasted 14 minutes looking for ways to increase the debugging on the built-in
Windows client. Fortunately, looking at the logs on the RADIUS server solved
our problem - we forgot to set up a list of Windows groups that were allowed
to log on. With a few clicks, we were finally up and running with XP. Without
disappointment, you cannot appreciate victory - and we were victorious with
time to spare.
(Stopwatch: 52 minutes)
Tweaks of the trade
Flush with success, we discovered that we had cheated a little bit. It turns
out that the Microsoft 802.1X client wasn't fully configured. As part of our
debugging, we disabled certificate verification, a serious no-no in any 802.1X
environment. When we turned that feature back on, the client behaved erratically.
The laptop we tested had Dell's own wireless configuration tool in it. We were
able to use the Dell-provided version of the Meetinghouse Aegis client to connect
with certificate validation. After finishing the last stage of our speed implementation
of 802.1X, we went back and tested further with the Microsoft built-in client.
Eventually, it started working but the behavior wasn't 100% predictable and
might prove frustrating for some users. You'll have to make your own decision
on the trade-off between the convenience of one client for all Windows users,
whether wireless or wired, vs. the more sophisticated, but every-company-is-different
user interfaces that each wireless card vendor provides.
(Stopwatch: 56 minutes)
A bite of the Apple
With 4 minutes to spare, you might want to tackle Mac clients. Apple included
802.1X capability in the base operating system. The Apple client is even easier
to use than Windows. Selecting our test 802.1X network out of the list of wireless
networks brought up a dialog box asking for a username and password. The OS
X server identified our test wireless network as "WPA Enterprise,"
which is one of the marketing terms for the combination of WPA and 802.1X. The
OS X system then showed us the digital certificate we had received for the RADIUS
server and asked us to approve it. That's a critical step, because if you don't
know what you're connecting to, you're just handing your username and password
over. A few seconds later, we were merrily surfing away - a little tired, a
little wired and very secure.
(Stopwatch: 59 minutes)