Implementing and supporting 802.1X authentication on your network can be a challenge, but here are some tips that can help save you some time, money, and frustration.
1. Consider a Free or Low-Cost RADIUS Server
For small and midsized networks, you don't have to spend a fortune on a RADIUS (remote authentication dial-in user service) server. First check if your router platform, directory service, or any other server provides RADIUS/AAA (authentication, authorization, accounting) for you already. For example, if you're running an Active Directory domain with a Windows Server, look into the Internet Authentication Service (IAS) component of Windows Server 2003 R2 and earlier or the Network Policy Server (NPS) component of Windows Server 2008 and later.
BACKGROUND: What is 802.1X?
IN PICTURES: 8 no cost/low cost tools for deploying 802.1X security
If your current servers don't provide RADIUS functionality, there are still many free and low-cost servers out there:
FreeRADIUS is totally free, open source, and can run on Linux and other Unix-like operating systems. It can serve anywhere from a dozen to millions of users and requests. By default, FreeRADIUS has a command-line interface and setting changes are made via editing configuration files. The configuration is highly customizable and because it's open source you can even make code changes to the software.
TekRADIUS is released as a shareware server, runs on Windows and offers a GUI. Basic features are free, while other versions can be purchased for features like EAP-TLS and dynamic self-signed certificate creation for protected extensible authentication protocol (PEAP) sessions, VoIP billing, and other enterprise features.
Two commercial products that are fairly low-cost include ClearBox and Elektron, both run on Windows and offer a 30-day free trial.
Some access points even have embedded RADIUS servers, great for smaller networks. For example, the HP ProCurve 530 or the ZyXEL NWA-3500, NWA3166 or NWA3160-N.
There are also cloud-based services, like AuthenticateMyWiFi, that provide hosted RADIUS servers for 802.1X, great for those that don't want to invest the time and resources in setting up their own.
2. Deploy 802.1X for the Wired Side, Too
You may have decided to implement 802.1X authentication just so you can better secure your wireless LAN with the Enterprise mode of Wi-Fi Protected Access (WPA or WPA2) security. But also consider deploying 802.1X authentication for the wired side of the network too. Though it wouldn't provide encryption for the wired connections (look into IPsec for that), it would require authentication for those plugging into the Ethernet before they are given network access.
3. Purchase a Digital Certificate for Eased Deployment
If you're implementing PEAP for the EAP type of 802.1X you still have to load the RADIUS server with a digital certificate for the optional but vital server validation that's made by end-users before authenticating. This is to help prevent man-in-the-middle attacks.
You can create a self-signed certificate with your own Certificate Authority, but the root certificate of your Certificate Authority must be loaded on the end-user computers and devices for them to perform the server validation.
You can usually distribute the root certificates of Certificate Authorities to managed computers, such as via Group Policy if you're running Active Directory with Windows Server 2003 or later. However, for non-domain and bring your own device (BYOD) environments, the certificate must be manually installed or distributed another way.
You can alternatively purchase a digital certificate for your RADIUS server from a third-party Certificate Authority (like VeriSign, Comodo, or GoDaddy) that's already trusted by Windows and other operating systems, so you wouldn't have to worry about distributing the root Certificate Authority certificate to most computers and devices.
4. Distribute Settings to Non-Domain Devices
If you run an Active Directory domain with Windows Server 2003 or later you can usually distribute the network settings (including 802.1X and any digital certificates) via Group Policy to Windows XP and later machines joined on the domain. But for those not on the domain, like user-owned laptops, smartphones, and tablets, there are other distribution solutions you could consider in addition to manual user configuration.
Keep in mind you want to distribute three key things: the root certificate of the Certificate Authority used by your RADIUS server, user certificates if using EAP-TLS, and the network and 802.1X settings.
There's the free SU1X 802.1X Configuration Deployment Tool you can use for Windows XP (SP3), Vista, Windows 7. You'd enter your settings and preferences, capture your network information from a PC already setup with the network, and then the tool will create a wizard users can run on their computers to automatically configure the network and other settings for them.
It supports the distribution of the root Certificate Authority certificate and the network and 802.1X settings. Additionally, you can configure it to add/remove other network profiles, change network priorities, and turn on NAP/SoH. It can even configure automatic or manual proxy server settings for Internet Explorer and Firefox and add/remove networked printers.
Commercial options you might consider for 802.1X configuration deployment are XpressConnect, ClearPass QuickConnect, and ClearPass Onboard.
XpressConnect supports the distribution of the root Certificate Authority and any user certificate and the network and 802.1X (PEAP, TLS, and TTLS [tunneled transport layer security]) settings on Windows, Mac OS X, Linux, Android, and iOS devices. For TTLS, it also supports the installation of the SecureW2 TTLS supplicant. XpressConnect is a cloud-based solution where you define your network settings on a web console and then it creates a wizard you can distribute to users.
ClearPass QuickConnect and ClearPass Onboard both support the distribution of the root Certificate Authority and the network and 802.1X (PEAP, TLS, and TTLS) settings on Windows, Mac OS X, Android, and iOS devices. ClearPass QuickConnect is a cloud-based service and doesn't support distributing any user certifications. ClearPass Onboard is a software module for the ClearPass Policy Manager platform and does support distributing user certificates.
There are also specific solutions for some mobile operating systems you can use for distributing 802.1X and other network settings, such as the iPhone Configuration Utility for iOS or the BlackBerry Enterprise Server Express for BlackBerry devices.
5. Secure the 802.1X Client Settings
802.1X can be prone to man-in-the-middle attacks, for example where an attacker could setup a duplicate Wi-Fi signal with a modified RADIUS server (like with the FreeRadius-WPE patch) and try to get users to connect in order to capture and crack their login credentials. However, you can try to prevent this type of attack by securely configuring the client computers and devices.
In Windows, there are three key settings you should verify that are enabled/configured in the EAP properties:
• Validate server certificate: Should be enabled and the Certificate Authority used by your RADIUS server should be selected from the list box. This ensures that the RADIUS server used the network the user connects to has a server certificate issued by the Certificate Authority you use.
• Connect to these servers: Should be enabled and the domain(s) listed on the certificate of your RADIUS server should be entered. This ensures the client only communicates with RADIUS servers that are loaded with a server certificate designated with your domain.
• Do not prompt user to authorize new servers or trusted certification authorities: Should be enabled to automatically reject unknown RADIUS servers, rather than prompt users with the ability to accept and connect.
In Windows Vista and later, the first two settings should be automatically enabled and configured the first time a user logs in. However, the last setting must be enabled manually or possibly via Group Policy or other distribution method. And in Windows XP, the user must manually configure all the settings, or again you can possibly use Group Policy or another distribution method.
For mobile devices, the exact 802.1X settings differ between the mobile operating systems. For example, Android offers only basic 802.1X settings with the optional ability to install and select the root Certificate Authority certificate of your RADIUS server so it can perform the server validation. IOS allows you to also specify the certificate/domain name and the ability to ignore other certificates to increase the reliability of the server validation.
6. Secure the RADIUS Server
Don't forget about the security of the RADIUS server as well, as it's the one responsible for handling the authentication. Consider dedicating a separate server for just the RADIUS role, ensure its firewall is locked down, and use encrypted links for any database connections used by the RADIUS server that reside on another server.
When generating the shared secrets that you'll input into the NAS (network access server) client list or database of the RADIUS server, use unique and strong passwords. Since users don't have to know or remember them, go very long and complex. Keep in mind, most RADIUS servers and NAS devices support up to 32 characters for the shared secret.
Since 802.1X is prone to man-in-the-middle attacks on the user password, ensure user passwords are also strong. If you have a directory service like Active Directory, you might be able to enforce password policies to ensure they're complex enough and changed periodically.
Summary
Remember, consider 802.1X for both the wired and wireless portions of your network. Ensure you don't already have RADIUS capability before looking for a server; and then consider free or low-cost servers. For eased deployment, consider purchasing the server's digital certificate from a third-party Certificate Auhority. Consider a solution to help automate the configuration of non-domain computers and devices. Last, but not least, ensure your 802.1X server and client settings are securely configured.
Eric Geier is a freelance tech writer. He's also the founder of NoWiresSecurity, which provides cloud-based RADIUS and 802.1X security, and On Spot Techs, which provides on-site computer services.