Using RADIUS For WLAN Authentication, Part II - Page 2
December 10, 2003
Outsourcing Example: WSC Guard
What's involved in outsourcing 802.1X authentication? We took WSC Guard for a short test drive to get a first-hand look.
A WLAN administrator starts by subscribing to the service and installing WSC Guard software on a Windows XP or 2000 PC that's connected (via Ethernet) to your access points (APs). He launches an "Add AP" wizard that uses ARP and ICMP to locate any AP on the local subnet. Only discovered APs can be added to WSC networks, which are named by the administrator. WSC Guard uses any management interface offered by the AP to configure a WSC-defined security policy and a WSC-hosted RADIUS Server name and shared secret (see Figure 1).
This step is quick and easy if you're using one of the five APs now supported by WSC. For example, it took a minute to add a Proxim AP-600 running the supported firmware, fresh out of the box. But we spent half an hour adding a Linksys WRT54G, successful only after downgrading our firmware and enabling WAN-side management. Check WSC's list to make sure that your AP(s) and version(s) are supported. The list will grow over time, but WSC will need to run fast to keep pace with new hardware and user interface changes.
Members must register themselves by using WSC's Web site to create usernames and passwords. The admin also uses the Website to configure Access Control lists for each WSC network (see Figure 2). He does this by adding registered users to the Members list, assigning a duration that specifies, not session timeout, but how long the username remains valid. The admin can also add Guest logins and passwords to permit use by unregistered users. Networks can contain many APs, as long as they share the same SSID, security settings, and Access Control list (ACL).
Both Members and Guests must install WSC Guard software on their Windows XP/2000 PCs to use a WSC-authenticated network. That means downloading a program over a wired or dial-up connection, or getting the 7MB setup program from CD. Once installed, WSC Guard recognizes WSC-protected networks discovered by Windows Zero Config, and offers to automatically configure the card to meet 802.1X/PEAP requirements.
Here again, WSC supports a specific list of 802.11 cards and drivers for each AP. For example, Intel's PRO/Wireless 2100 works with the Proxim AP-600 (WEP) but not the Linksys WRT54G (WPA). On the other hand, we had used a Linksys WPC54G card with both Proxim and Linksys APs; WSC automatically adjusted the card's configuration to match each AP. Users must first install Microsoft's WPA patch and WPA card drivers to associate with WPA-capable APs. Also we found it's important not to install Cisco's PEAP, as that overwrites Microsoft's PEAP, which is required by WSC.
Whenever the station associates to any AP in the WSC network, 802.1X authentication occurs between the AP and WSC's RADIUS Server. If the RADIUS Server is reachable, the user is prompted for a WSC login and password, and access is granted only to Members and Guests in that network's ACL (see Figure 3).
A log of access attempts is maintained on the WSC Web site, accessible only by the administrator (see Figure 4). An e-mail alert can be sent to the administrator whenever failed logins exceed a configurable threshold, indicating possible attempted intrusion. But that could also indicate a user who forgot his password, or a repeat visitor trying a now-expired Guest login. Note that WSC does not kick an active user off your AP when his username is deleted or expires, but the next 802.1X re-authentication will.
Reaching WSC's RADIUS Server requires outbound Internet access through the standard RADIUS port (UDP/1812), which may require opening a small hole in your firewall. SOHOs with residential broadband must ensure their provider doesn't block RADIUS, which some vendors consider a business-grade protocol. If WSC's RADIUS Server is unreachable during 802.1X (re)authentication, authentication will fail. When that happens, the WSC network can "fallback" to 128-bit shared key authentication.
Fallback mode can be initiated manually or automatically from any PC running WSC Guard software, connected by Ethernet to the network's AP(s). For manual fallback, the admin selects from a list of available APs and supplies a secret password (see Figure 5). Alternatively, an agent can monitor RADIUS Server reachability, initiating fallback when loss is detected, restoring 802.1X when connectivity returns. Each PC can run just one agent, which handles fallback for all APs in one network. Configuration commands are sent from the agent PC to all APs, so it's important for that PC to be trusted and continuously connected to Ethernet.
Fallback is important, because you don't want your WLAN to depend on the Internet. However, fallback isn't completely seamless. Users will notice at least brief association loss when fallback occurs, although WSC reconfigures stations to fully automate the switch. When 802.1X is restored, login and password are needed to re-authenticate, requiring user interaction. If your Internet uplink status changes frequently, an offsite RADIUS Server is probably impractical. If you have a solid uplink that loses connectivity once in a blue moon, fallback will be rarely used but invaluable.
A managed service like WSC can help small businesses avoid end-user configuration of 802.1X parameters and offload RADIUS Server needs. Larger businesses may find this one-size-fits-all approach limiting -- for example, inability to pre-register users in batch, leverage Windows logins for single sign-on, or use alternative AP management ports or security parameters. In a large network, an offsite RADIUS Server could also generate plenty of traffic due to periodic 802.1X re-authentications.
If you're thinking of hosting your own RADIUS Server, what will it take to get your server up and running? In the upcoming final chapter of this tutorial, we'll use Funk Odyssey to illustrate the tasks involved in configuring an in-house RADIUS Server.