Search Search internet.com

Subscribe Now! Wi-Fi Planet.com's Daily Newsletter More Free Newsletters Wi-Fi Glossary Find a Wi-Fi Term Wi-Fi® is a registered certification mark of the Wi-Fi Alliance internet.commerce Be a Commerce Partner internet.com IT Developer Internet News Small Business Personal Technology International Search internet.com Advertise Corporate Info Newsletters Tech Jobs E-mail Offers

>> Wi-Fi Planet Marketplace RELATED ARTICLES 802.1X Port Access Control for WLANs LEAPing Over Wireless LANs LWAPP: Standardizing Centralized Wi-Fi Management Searching for Wi-Fi Security Solutions Deploying 802.1X for WLANs: EAP Types By Lisa Phifer September 10, 2003 Finding EAP In Products There are technical differences between EAP-TTLS and PEAP, but the most important difference to organizations deploying 802.1X pertains to product support. EAP-TTLS was originally proposed by Funk Software; PEAP was proposed by Cisco and Microsoft. EAP-TTLS requires installation of third-party "802.1X Supplicant" software, while PEAP requires a recent Windows operating system or service pack. The following table summarizes current support for common EAP types used with wireless LANs. EAP-TLS EAP-TTLS PEAP LEAP RADIUS Server Support Cisco, FreeRADIUS, Funk, Interlink, Meetinghouse, Microsoft, Radiator Funk, Interlink, Meetinghouse, Radiator Cisco, Funk, Interlink, Meetinghouse, Microsoft, Radiator Cisco, FreeRADIUS, Funk, Interlink, Meetinghouse, Radiator Supplicant Client Support Cisco, Funk, Meetinghouse, Microsoft, Open1X Alfa-Ariss, Funk, Meetinghouse, Open1X Funk, Meetinghouse, Microsoft Cisco, Funk, Meetinghouse Embedded OS Support Windows XP/2000/2003 n/a Windows XP/2000/2003 n/a Platforms supported by Third-Party Supplicants MacOS X, BSD, Linux, Win32 MacOS X, BSD, Linux, Win32 Win32 Win32 Clearly, most RADIUS vendors are trying to support as many EAP types as possible to satisfy growing demand. EAP-TLS still has the broadest support, but it's not hard to find commercial servers that support others. The real trick is to make sure that your RADIUS server, access point, and supplicant are compatible: check the versions of 802.1X and EAP supported by all three. In particular, when using PEAP, verify that the authentication method you want to use is uniformly supported, because Cisco and Microsoft have distributed different (incompatible) versions of PEAP. The most challenging part of deploying 802.1X involves installing and configuring client-side software and user credentials. Here are a few hints: If you use Cisco gear, you'll find that LEAP, EAP-TLS, and PEAP are installed on every station along with Cisco's Aironet Client Utility. Whenever you upgrade Cisco card drivers, you're automatically upgrading 802.1X/EAP support as well. If your desktops and laptops run new Windows operating systems, you'll find EAP-TLS included in every copy of Windows XP and PEAP in XP Service Pack 2. These EAP types are also included in Windows 2000 service packs and ship with Windows 2003. Whenever you run Windows Update on these operating systems, you're also upgrading Microsoft's embedded 802.1X/EAP supplicant. If you use devices that run older/different operating systems and non-Cisco cards, you'll need to find and install third-party supplicant software. As seen above, your RADIUS vendor is a good place to start looking. You'll also want to consider how to upgrade systems in the field once you've deployed this supplicant software. Organizations with heterogeneous networks may want to install the same supplicant on every system (even Windows XP/2000 PCs) to create a uniform environment. Such organizations face a tough decision about when and how to deploy 802.1X, since they must strike a balance between uniform coverage, added security, and software administration costs. Planning Your 802.1X Rollout If you're serious about deploying 802.1X, start by deciding how to authenticate WLAN users. Consider your network's existing security policy and user credentials. For example, do you already issue VPN client software and certificates to laptop users? If so, EAP-TLS can reuse those certificates. Do you need to support WLAN access by visitors? If so, you may want password-based authentication -- at least for visitors. In fact, you don't need to pick just one EAP type or authentication method. Most 802.1X-enabled RADIUS servers can support multiple types, and will request configured types in priority order until each station offers up acceptable credentials. Both PEAP and EAP-TTLS can be used with client-side passwords or certificates. Next, look for products that support 802.1X and your chosen EAP types, starting with your access points. The access points as 'athenticators' play a smaller role than supplicants or authentication servers, but they're a mandatory ingredient. If your access points don't yet support 802.1X interaction with RADIUS servers, then you'll need to upgrade your access point firmware, buy new hardware, or put your 802.1X plans on hold. 802.1X support is common in enterprise-grade access points, but entry-level products sold to residential customers (like those from Linksys or D-Link) don't usually need to interact with RADIUS servers. Once you've nailed access point support, take a look at your authentication server(s). If existing servers can be upgraded to support 802.1X directly, great. If not, consider installing a new RADIUS server that handles 802.1X and forwards vanilla RADIUS Access Requests to your existing server. This is one way to ease into 802.1X without upsetting your existing infrastructure. When using EAP-TLS, TTLS, or PEAP, you'll also need a digital certificate for your RADIUS server. Finally, plan supplicant software and user credential rollout to WLAN stations. Most organizations should plan a phased rollout. Reconfigure your access points to allow but not require 802.1X port access control and verify back-end communication between access points and your RADIUS server. Reconfigure a test station to use 802.1X and one of your selected EAP types and watch what happens. Sniffing traffic on both the wireless and wired sides of the access point may be necessary to debug initial authentication problems. Once you have verified your 802.1X implementation, begin upgrading user stations incrementally, starting with stations that have the lowest cost of entry and/or the most pressing need for improved WLAN security. Conclusion When planning your rollout, keep in mind that EAP types like EAP-TTLS and PEAP are not yet finalized. Additional EAP types are also still being defined, including EAP-SIM (to support GSM devices with SIM cards) and EAP-SecurID (to support two-factor hardware tokens). In fact, both EAP and 802.1X are still being tweaked to overcome issues encountered by early adopters. As these solutions mature, you should anticipate the need to upgrade installed 802.1X/EAP software. To manage this cost, you may want to start with a modest 802.1X rollout. Learn the ropes and get familiar with both the benefits and challenges of 802.1X. Start improving WLAN security with 802.1X today and you'll be better prepared for company-wide deployment in the future.   Go to page: Prev  1  2   RELATED ARTICLES 802.1X Port Access Control for WLANs LEAPing Over Wireless LANs LWAPP: Standardizing Centralized Wi-Fi Management Searching for Wi-Fi Security Solutions Tools: Tutorials Archives | 7 day summary Add wi-fiplanet.com to your favorites Add wi-fiplanet.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed

Search: Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia Jupitermedia Corporate Info Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy. Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Solutions

Whitepapers and eBooks IBM Whitepaper: Innovative Collaboration to Advance Your Business Internet.com eBook: Real Life Rails Avaya Article: Call Control XML - Powerful, Standards-Based Call Control Tripwire Whitepaper: Seven Practical Steps to Mitigate Virtualization Security Risks Internet.com eBook: The Pros and Cons of Outsourcing Go Parallel Article: Scalable Parallelism with Intel(R) Threading Building Blocks Internet.com eBook: Best Practices for Developing a Web Site IBM CXO Whitepaper: The 2008 Global CEO Study "The Enterprise of the Future" Avaya Article: Call Control XML in Action - A CCXML Auto Attendant Go Parallel Article: James Reinders on the Intel Parallel Studio Beta Program IBM CXO Whitepaper: Unlocking the DNA of the Adaptable Workforce--The Global Human Capital Study 2008 Adobe Acrobat Connect Pro: Web Conferencing and eLearning Whitepapers Go Parallel Article: Getting Started with TBB on Windows HP eBook: Storage Networking , Part 1 MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts Go Parallel Video: Intel(R) Threading Building Blocks: A New Method for Threading in C++ HP Video: Is Your Data Center Ready for a Real World Disaster? Microsoft Partner Portal Video: Microsoft Gold Certified Partners Build Successful Practices HP On Demand Webcast: Virtualization in Action Go Parallel Video: Performance and Threading Tools for Game Developers Rackspace Hosting Center: Customer Videos Intel vPro Developer Virtual Bootcamp HP Disaster-Proof Solutions eSeminar HP On Demand Webcast: Discover the Benefits of Virtualization MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits Microsoft Download: Silverlight 2 Software Development Kit Beta 2 30-Day Trial: SPAMfighter Exchange Module Red Gate Download: SQL Toolbelt Iron Speed Designer Application Generator Microsoft Download: Silverlight 2 Beta 2 Runtime MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos IBM IT Innovation Article: Green Servers Provide a Competitive Advantage Microsoft Article: Expression Web 2 for PHP Developers--Simplify Your PHP Applications Featured Algorithm: Intel Threading Building Blocks - parallel_reduce MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES