We tested wireless 802.1x and LEAP with an Aironet 350 series card, Cisco 1200 series access point and Funk's Steel-Belted RADIUS server. To configure LEAP in the Cisco 1200, we had to specify the port the RADIUS server would use as well as the key the two devices shared. We also had to enable the EAP option.
The RADIUS server, meanwhile, required that the Cisco AP be added as a client. We also had to specify the shared RADIUS key and the users needing authentication. To enable LEAP for the users, we modified the "eap.ini" file of the RADIUS server.
On the client, we selected the LEAP security option and entered the correct user name and password to securely connect to the network. LEAP is relatively easy to configure compared with some other complex authentication mechanisms that use certificates.
To test the EAP-TLS piece of 802.1x, we used a Windows 2000 Advanced Server running Microsoft's Internet Authentication Service for RADIUS authentication and Active Directory for the user database. EAP-TLS uses digital certificates for mutual authentication, so we tapped our existing certificate-authority infrastructure in the Syracuse lab. If you don't have a CA in place, you can get certificates from VeriSign or another a third-party vendor. The trade-off with digital certificates is that they can incur overhead because you have to issue, manage and then revoke a certificate if it's necessary to block a user's access. But since certificates are more secure than passwords, they're worth a little extra work.
With this setup, the RADIUS server sends its digital certificate to the XP client. The client then checks the issuer of the certificate and its contents, and then sends its own certificate to the RADIUS server. The RADIUS server performs the same verification procedure, verifying the issuer and contents of the certificate. In the end, the client receives a successful authentication message, and the client and server get the dynamic key.
Taking the LEAP
Cisco, meanwhile, isn't banking completely on LEAP as its authentication method. Along with Microsoft and RSA Security, Cisco has developed PEAP, an open standard. It's already available commercially: Cisco has PEAP built into its client, and Funk's Odyssey client 2.0 also supports it. Microsoft's Windows XP with SP1 or above includes support for PEAP, and Microsoft offers a free download of the 802.1x authentication client with PEAP for Windows 2000. You can get 802.1x clients for Windows 98 and NT 4.0 through Microsoft's Premier and Alliance support contracts.
We also tested PEAP for 802.1x using a Windows XP client and a Windows 2000 Advanced Server-based RADIUS server. The Windows XP client with SP1 supports PEAP with the MS-CHAPv2 algorithm, which is password-based and uses a combination of MD4, SHA-1 (Secure Hash Algorithm) and DES (Data Encryption Standard) algorithms. You must enable EAP authentication when MS-CHAPv2 support is active. The TLS channel then encrypts the entire exchange procedure, and the RADIUS server and client exchange MS-CHAPv2 challenge request/responses to authenticate one another. If you use EAP-TLS with PEAP in your 802.1x implementation, both your server and client will need certificates, making it a more complex but stronger implementation than PEAP with EAP-MS-CHAPv2.
TTLS, developed by Funk and Certicom Corp., meanwhile, is an extension of TLS that eliminates the need for client-side certificates. TTLS clients are available for Linux, Mac OS X, Windows 95/98/Me/ 2000/NT/XP and Pocket PC OSs. We ran Funk's TTLS-based Odyssey server on a Windows 2000 Advanced Server, a Cisco 1200 series AP and a Windows 2000 laptop with the Odyssey client 2.0. We created a certificate authority using the Odyssey tools. It was easy to configure the Odyssey server: We added the access point and specified the users in the database plus a few RADIUS settings. The Odyssey client lets you select the authentication mechanism and the inner authentication protocol for TTLS.
X Games
The 802.1x standard will be a big part of the upcoming wireless security 802.11i specification, with its strong authentication and key distribution and rotation approach. With the 802.11i standard awaiting final approval, the Wi-Fi Alliance came up with an interim security standard, Wi-Fi Protected Access (WPA), that also uses the 802.1x framework for authentication. It requires a simple firmware update for the wireless devices, plus it's compatible with the upcoming 802.11i standard.
On the wired side, most users working from home use VPN sessions to reach the corporate network. VPNs and 802.1x are a good combination: With 802.1x, firewalls and IPsec-based VPN security are more effective against targeted attacks. Although 802.1x still faces stiff competition from well-entrenched third-party vendor security products such as Bluesocket and ReefEdge, it just may emerge as the safest and simplest way for users to securely access network resources.
Dilip Advani is a research associate at Syracuse University's Center for Emerging Network Technologies. He has worked as a network engineer and a telecommunications consultant. Write to him at dadvani@nwc.com.
Post a comment or question on this story.
RSS
