802.1X: A stepping stone

As an authentication standard for wired networks, 802.1X has a happy side effect when used with WLANs: It gives you per-user, per-session WEP keys.

As an authentication standard for wired networks, 802.1X has a happy side effect when used with WLANs: It gives you per-user, per-session WEP keys.

While WEP's many other theoretical problems still exist, 802.1X solves the biggest practical issue. No longer does everyone use the same WEP key that can stick around for months or even years. Instead, every connection authenticated with 802.1X gets its own WEP key that can be changed as often as the network professional controlling the WLAN desires.

Cracking the wireless security code

Security picks

What we tested

WEP: Stick a fork in it

WPA - An accident waiting to happen

802.11i: The next big thing

Security standards aside, lock down your boxes, boys!

Wireless Access Point: Wire-side security testing (PDF)

How to do it: Securing your wireless LAN

Tools, not standards, that help tie down wireless nets

Glossary of wireless security terms

Explaining TKIP

How we did it

Archive of Network World reviews

Subscribe to the Product Review newsletter

A second benefit to 802.1X is that you actually know who is on your network. Users have to go through a true authentication dialog. You can use as powerful an authentication method as you need ranging from simple username/password combinations to digital certificates.

With pure 802.1X, the heavy lifting is done on the supplicant (wireless client), with the wireless access point having very little work to do in the process. In the majority of devices we tested, enabling 802.1X at the access point is usually a question of picking one of two options - allow 802.1X or require 802.1X - and then pointing the access point at a RADIUS server that supports 802.1X. Some products are a little more flexible than that. For example, the Trapeze wireless switch lets you use 802.1X for authentication, but also has its own authentication server built into it. This can make deployment much faster, especially if your RADIUS server does not support 802.1X.

Not every wireless vendor is shipping wares with standard 802.1X support (see graphic). For example, the Belkin adapter and access point tested did not support pure 802.1X, but did support 802.1X in combination with WPA. Products from Buffalo Technology and Linksys tested did not support pure 802.1X at all.

Overall, wireless client cards have much broader support for 802.1X than we saw in our earlier testing. In addition to 802.1X support in NICs, Microsoft has built 802.1X authentication into Windows XP, and Apple has provided it in recent versions of Mac OS X.

The difficulty in using 802.1X on a wireless client, whether it's by itself or part of WPA or 802.11i, is in finding a compatible authentication method. While not everyone in the network has to use the same method, they all have to be supported by the RADIUS server you're using.

The only common authentication denominator among the products tested is support for Protected Extensible Authentication Protocol (PEAP) with Challenge Handshake Authentication Protocol (MSCHAPv2), an encrypted authentication method based on Microsoft's challenge/response authentication protocol.

Unfortunately, PEAP/MSCHAPv2 won't work for networks that employ pre-encrypted user passwords. For example, if you keep your passwords on a Unix server in /etc/password format, you can't use MSCHAPv2. The solution is to either use an authentication mechanism such as Tunneled Transport Layer Security/Password Authentication Password (TTLS/PAP) (which works with encrypted passwords), or jump to a different authentication method, for example, digital certificates. Digital certificates are supported by all of the 802.1X clients we tested.

Although TTLS/PAP was not widely supported outside of the 3Com and Apple clients we tested, there are add-ons for Microsoft's Windows clients, such as Funk Software's Odyssey 802.1X client or Meetinghouse Data Communications' Aegis client, which bring that support to the table.

Although 802.1X by itself is pretty secure you get your best wireless security when you combine 802.1X with an encryption system that is stronger than simple WEP. Other security mechanisms - such as WPA and 802.11i - build on 802.1X encryption as one piece of a bigger framework for securing wireless connections.

Learn more about this topic

WLAN testing: Two years' worth of results

Network World.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.