Skip Links

6 secrets to a successful 802.1X rollout

By Eric Geier, Network World
June 11, 2012 07:05 AM ET

Network World - Implementing and supporting 802.1X authentication on your network can be a challenge, but here are some tips that can help save you some time, money, and frustration.

1. Consider a Free or Low-Cost RADIUS Server

For small and midsized networks, you don't have to spend a fortune on a RADIUS (remote authentication dial-in user service) server. First check if your router platform, directory service, or any other server provides RADIUS/AAA (authentication, authorization, accounting) for you already. For example, if you're running an Active Directory domain with a Windows Server, look into the Internet Authentication Service (IAS) component of Windows Server 2003 R2 and earlier or the Network Policy Server (NPS) component of Windows Server 2008 and later.

BACKGROUND: What is 802.1X?

IN PICTURES: 8 no cost/low cost tools for deploying 802.1X security

If your current servers don't provide RADIUS functionality, there are still many free and low-cost servers out there:

FreeRADIUS is totally free, open source, and can run on Linux and other Unix-like operating systems. It can serve anywhere from a dozen to millions of users and requests. By default, FreeRADIUS has a command-line interface and setting changes are made via editing configuration files. The configuration is highly customizable and because it's open source you can even make code changes to the software.

TekRADIUS is released as a shareware server, runs on Windows and offers a GUI. Basic features are free, while other versions can be purchased for features like EAP-TLS and dynamic self-signed certificate creation for protected extensible authentication protocol (PEAP) sessions, VoIP billing, and other enterprise features.

Two commercial products that are fairly low-cost include ClearBox and Elektron, both run on Windows and offer a 30-day free trial.

Some access points even have embedded RADIUS servers, great for smaller networks. For example, the HP ProCurve 530 or the ZyXEL NWA-3500, NWA3166 or NWA3160-N.

There are also cloud-based services, like AuthenticateMyWiFi, that provide hosted RADIUS servers for 802.1X, great for those that don't want to invest the time and resources in setting up their own.

2. Deploy 802.1X for the Wired Side, Too

You may have decided to implement 802.1X authentication just so you can better secure your wireless LAN with the Enterprise mode of Wi-Fi Protected Access (WPA or WPA2) security. But also consider deploying 802.1X authentication for the wired side of the network too. Though it wouldn't provide encryption for the wired connections (look into IPsec for that), it would require authentication for those plugging into the Ethernet before they are given network access.

3. Purchase a Digital Certificate for Eased Deployment

If you're implementing PEAP for the EAP type of 802.1X you still have to load the RADIUS server with a digital certificate for the optional but vital server validation that's made by end-users before authenticating. This is to help prevent man-in-the-middle attacks.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News