Funk, Interlink improve wireless LAN authentication

Companies look to simplify wireless administration by adding TTLS support.

Funk Software and Interlink Networks have each added support for a proposed wireless LAN authentication standard that promises strong mutual authentication without having to distribute and manage certificates for all end users.

Both companies added support for a proposed wireless security protocol, developed by Funk and Certicom, called Tunneled Transport Layer Security (TTLS) to their Remote Authentication Dial-In User Service (RADIUS) authentication server products. Funk this week will announce Steel-Belted Radius/Server Provider Edition 4.0 with support for TTLS. Interlink says it shipped its first wireless LAN authentication server called Secure.XS based on TTLS in the hope that if you build it, the wireless users will come.

Hanging over any deployment of TTLS is the impending arrival of software based on a competing protocol, the Protected Extensible Authentication Protocol (PEAP), which Microsoft and Cisco back. PEAP defines a way for securely transporting authentication data, including passwords, over 802.11 wireless networks.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Funk Software and Interlink Networks have each added support for a proposed wireless LAN authentication standard that promises strong mutual authentication without having to distribute and manage certificates for all end users.

Both companies added support for a proposed wireless security protocol, developed by Funk and Certicom, called Tunneled Transport Layer Security (TTLS) to their Remote Authentication Dial-In User Service (RADIUS) authentication server products. Funk this week will announce Steel-Belted Radius/Server Provider Edition 4.0 with support for TTLS. Interlink says it shipped its first wireless LAN authentication server called Secure.XS based on TTLS in the hope that if you build it, the wireless users will come.

Hanging over any deployment of TTLS is the impending arrival of software based on a competing protocol, the Protected Extensible Authentication Protocol (PEAP), which Microsoft and Cisco back. PEAP defines a way for securely transporting authentication data, including passwords, over 802.11 wireless networks.

TTLS and PEAP work within the framework of the broadbased IEEE 802.11 wireless LAN standard for authentication known as 802.1X. PEAP and TTLS each use Transport Layer Security (TLS) - which is often described as a better Secure Sockets Layer - to set up an end-to-end tunnel to transfer the user's credentials, such as a password, without having to use a certificate on the client.

"We'll try TTLS because we want to deploy [wireless] LANs securely," says Jay David, manager of network planning and services at the University of Rhode Island in Kingston, which recently installed about 20 Enterasys Networks wireless LAN access points in campus locations for use by students and staff. But David questions whether his allegiance to TTLS will be long-term when Microsoft and Cisco back PEAP in their products.

Very much like TTLS, PEAP makes use of the IEEE's 802.1X framework to use TLS for encryption of authentication data. TTLS and PEAP are practically indistinguishable, but Microsoft and Cisco are pushing their favored protocol at the IETF in competition with Funk.

"Unfortunately, Funk is fighting an uphill battle with TTLS when you have Cisco and Microsoft backing PEAP," David notes. The University of Rhode Island has to pay to license TTLS client software and ensure it's installed on the user's desktop for secure authentication. But Microsoft, which last month made PEAP available as an add-on for Windows XP, has said it intends to ship PEAP as part of the operating system. That leaves open the possibility that the PEAP authentication software might become as ubiquitous on the desktop, as Microsoft holds about 95% of the installed base today. That would mean the university wouldn't have to pay for licensing client software down the road.

Still, David says he's willing to try TTLS because it seems the best approach available today and is much easier to use than TLS, another wireless LAN authentication option supported in Funk and Interlink authentication server products. TLS requires digital certificates be used on the wireless LAN client.