While previous iLabs security-based testing focused strictly on how the IEEE 802.1X authentication standard helped lock down wireless LAN connections, this year's testing also spanned the wired world.

The protocol has matured and vendors have expended a great deal of effort into building products - which in this test include client-side software, wireless access points, wired switches  and authentication servers - around this standard. However, this year's testing demonstrates that some offerings based on 802.1X still have a ways to go before we could recommend them as enterprise-class security products.

The products do implement 802.1X, but in most cases it's going to take a very skilled network technician to configure 802.1X products across any large deployment. It also seems that attention to implementing 802.1X has distracted vendors for hitting on other security standards such as in digital certificate processing, management  interface security and event logging. These non-802.1X issues could affect 802.1X deployment overall.

Where to begin?

In the 802.1X world, a client is referred to as a supplicant. The device it connects to is an authenticator. Behind the authenticator is an authentication server that maintains a client/server relationship with the authenticator.

We used supplicant software running on PCs and Macintosh machines connecting to wireless access points or wired switches, with RADIUS servers providing authentication. The supplicants tested were from Cisco, Funk Software, Meetinghouse Communications, Microsoft and the open source implementation Open1x. Wireless gear vendors represented were Broadcom, Cisco, Extreme Networks, Proxim, Symbol Technologies and Trapeze Networks. Participating wired switch vendors included Cisco, Extreme and HP . Stepping up with 802.1X-compliant RADIUS implementations were Cisco, Infoblox, Funk, Meetinghouse, Microsoft, Radiator, Roving Planet and open source FreeRADIUS.

In last year's testing, we examined the various protocol options for authentication including Protected Extensible Authentication Protocol (PEAP) and Tunneled Transport Layer Security (TTLS), which use server certificates, and TLS, which uses client and server certificates (see here ).

This year we focused on testing typical combinations of the three components (supplicant, authenticator and authentication server) to determine if the various components could authenticate correctly, connect to the network and display a Web page running on a test server.

We concluded that the basic interoperability battles were over. Vendors now are shipping 802.1X-capable devices, in both the wireless and wired cases. Most implementations were able to simply plug in and interoperate. There were certainly some bugs uncovered, such as problems with digital certificates, and problems connecting certain authenticators (switches) to some RADIUS servers, but no more than you'd find in any other new set of products that were thrown together.

Tell me again why I would care now?

We've been reporting on 802.1X as an emerging security technology for three years. But we're arguing that network professionals should pay attention now because:

•  Wireless access control. With 802.1X in its current state, we finally are seeing the standards process offer a set of technically sound, secure access control mechanisms. This will continue to improve the options available to control and secure wireless (and wired) networks.

•  Strong cryptography standards. 802.1X is part of the IEEE's ongoing activities to make sure that networks can be secured. As 802.11i - which specifies a safer keying mechanism with Temporal Key Integrity Protocol (TKIP) to replace Wired Equivalent Privacy (WEP), and use of Advanced Encryption Standard (AES ) for encryption - becomes available, we will finally be able to have authenticated networks that use generally accepted strong cryptographic algorithms.

•  Fine grained LAN access control. The deployment of 802.1X will lay the groundwork for future security mechanisms - like being able to stop denial-of-service  attacks by blocking network access, or limiting network access to properly scanned workstations - to control network access on a user-by-user and port-by-port basis. This will mean that in the near future you will be able to better manage network repairs if you have virus or worm outbreaks and have to shut off selected sections of your network.