802.1X: A stepping stone

As an authentication standard for wired networks, 802.1X has a happy side effect when used with WLANs: It gives you per-user, per-session WEP keys.

While WEP's many other theoretical problems still exist, 802.1X solves the biggest practical issue. No longer does everyone use the same WEP key that can stick around for months or even years. Instead, every connection authenticated with 802.1X gets its own WEP key that can be changed as often as the network professional controlling the WLAN desires.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

As an authentication standard for wired networks, 802.1X has a happy side effect when used with WLANs: It gives you per-user, per-session WEP keys.

While WEP's many other theoretical problems still exist, 802.1X solves the biggest practical issue. No longer does everyone use the same WEP key that can stick around for months or even years. Instead, every connection authenticated with 802.1X gets its own WEP key that can be changed as often as the network professional controlling the WLAN desires.

A second benefit to 802.1X is that you actually know who is on your network. Users have to go through a true authentication dialog. You can use as powerful an authentication method as you need ranging from simple username/password combinations to digital certificates.

With pure 802.1X, the heavy lifting is done on the supplicant (wireless client), with the wireless access point having very little work to do in the process. In the majority of devices we tested, enabling 802.1X at the access point is usually a question of picking one of two options - allow 802.1X or require 802.1X - and then pointing the access point at a RADIUS server that supports 802.1X. Some products are a little more flexible than that. For example, the Trapeze wireless switch lets you use 802.1X for authentication, but also has its own authentication server built into it. This can make deployment much faster, especially if your RADIUS server does not support 802.1X.

Not every wireless vendor is shipping wares with standard 802.1X support (see graphic). For example, the Belkin adapter and access point tested did not support pure 802.1X, but did support 802.1X in combination with WPA. Products from Buffalo Technology and Linksys tested did not support pure 802.1X at all.

Overall, wireless client cards have much broader support for 802.1X than we saw in our earlier testing. In addition to 802.1X support in NICs, Microsoft has built 802.1X authentication into Windows XP, and Apple has provided it in recent versions of Mac OS X.

The difficulty in using 802.1X on a wireless client, whether it's by itself or part of WPA or 802.11i, is in finding a compatible authentication method. While not everyone in the network has to use the same method, they all have to be supported by the RADIUS server you're using.

The only common authentication denominator among the products tested is support for Protected Extensible Authentication Protocol (PEAP) with Challenge Handshake Authentication Protocol (MSCHAPv2), an encrypted authentication method based on Microsoft's challenge/response authentication protocol.