802.1X: A stepping stone

By Joel Snyder and Rodney Thayer
Network World, 10/04/04

Original Article on Network World Web Site

As an authentication standard for wired networks, 802.1X has a happy side effect when used with WLANs: It gives you per-user, per-session WEP keys.

While WEP's many other theoretical problems still exist, 802.1X solves the biggest practical issue. No longer does everyone use the same WEP key that can stick around for months or even years. Instead, every connection authenticated with 802.1X gets its own WEP key that can be changed as often as the network professional controlling the WLAN desires.

A second benefit to 802.1X is that you actually know who is on your network. Users have to go through a true authentication dialog. You can use as powerful an authentication method as you need ranging from simple username/password combinations to digital certificates.

With pure 802.1X, the heavy lifting is done on the supplicant (wireless client), with the wireless access point having very little work to do in the process. In the majority of devices we tested, enabling 802.1X at the access point is usually a question of picking one of two options - allow 802.1X or require 802.1X - and then pointing the access point at a RADIUS server that supports 802.1X. Some products are a little more flexible than that. For example, the Trapeze wireless switch lets you use 802.1X for authentication, but also has its own authentication server built into it. This can make deployment much faster, especially if your RADIUS server does not support 802.1X.

Not every wireless vendor is shipping wares with standard 802.1X support (see graphic). For example, the Belkin adapter and access point tested did not support pure 802.1X, but did support 802.1X in combination with WPA. Products from Buffalo Technology and Linksys tested did not support pure 802.1X at all.

Overall, wireless client cards have much broader support for 802.1X than we saw in our earlier testing. In addition to 802.1X support in NICs, Microsoft has built 802.1X authentication into Windows XP, and Apple has provided it in recent versions of Mac OS X.

The difficulty in using 802.1X on a wireless client, whether it's by itself or part of WPA or 802.11i, is in finding a compatible authentication method. While not everyone in the network has to use the same method, they all have to be supported by the RADIUS server you're using.

The only common authentication denominator among the products tested is support for Protected Extensible Authentication Protocol (PEAP) with Challenge Handshake Authentication Protocol (MSCHAPv2), an encrypted authentication method based on Microsoft's challenge/response authentication protocol.

Unfortunately, PEAP/MSCHAPv2 won't work for networks that employ pre-encrypted user passwords. For example, if you keep your passwords on a Unix server in /etc/password format, you can't use MSCHAPv2. The solution is to either use an authentication mechanism such as Tunneled Transport Layer Security/Password Authentication Password (TTLS/PAP) (which works with encrypted passwords), or jump to a different authentication method, for example, digital certificates. Digital certificates are supported by all of the 802.1X clients we tested.

Although TTLS/PAP was not widely supported outside of the 3Com and Apple clients we tested, there are add-ons for Microsoft's Windows clients, such as Funk Software's Odyssey 802.1X client or Meetinghouse Data Communications' Aegis client, which bring that support to the table.

Although 802.1X by itself is pretty secure you get your best wireless security when you combine 802.1X with an encryption system that is stronger than simple WEP. Other security mechanisms - such as WPA and 802.11i - build on 802.1X encryption as one piece of a bigger framework for securing wireless connections.