www.wi-fiplanet.com/tutorials/article.php/3075481
September 10, 2003 Finding EAP In ProductsThere are technical differences between EAP-TTLS and PEAP, but the most important difference to organizations deploying 802.1X pertains to product support. EAP-TTLS was originally proposed by Funk Software; PEAP was proposed by Cisco and Microsoft. EAP-TTLS requires installation of third-party "802.1X Supplicant" software, while PEAP requires a recent Windows operating system or service pack. The following table summarizes current support for common EAP types used with wireless LANs.
Clearly, most RADIUS vendors are trying to support as many EAP types as possible to satisfy growing demand. EAP-TLS still has the broadest support, but it's not hard to find commercial servers that support others. The real trick is to make sure that your RADIUS server, access point, and supplicant are compatible: check the versions of 802.1X and EAP supported by all three. In particular, when using PEAP, verify that the authentication method you want to use is uniformly supported, because Cisco and Microsoft have distributed different (incompatible) versions of PEAP. The most challenging part of deploying 802.1X involves installing and configuring client-side software and user credentials. Here are a few hints:
Planning Your 802.1X RolloutIf you're serious about deploying 802.1X, start by deciding how to authenticate WLAN users. Consider your network's existing security policy and user credentials. For example, do you already issue VPN client software and certificates to laptop users? If so, EAP-TLS can reuse those certificates. Do you need to support WLAN access by visitors? If so, you may want password-based authentication -- at least for visitors. In fact, you don't need to pick just one EAP type or authentication method. Most 802.1X-enabled RADIUS servers can support multiple types, and will request configured types in priority order until each station offers up acceptable credentials. Both PEAP and EAP-TTLS can be used with client-side passwords or certificates. Next, look for products that support 802.1X and your chosen EAP types, starting with your access points. The access points as 'athenticators' play a smaller role than supplicants or authentication servers, but they're a mandatory ingredient. If your access points don't yet support 802.1X interaction with RADIUS servers, then you'll need to upgrade your access point firmware, buy new hardware, or put your 802.1X plans on hold. 802.1X support is common in enterprise-grade access points, but entry-level products sold to residential customers (like those from Linksys or D-Link) don't usually need to interact with RADIUS servers. Once you've nailed access point support, take a look at your authentication server(s). If existing servers can be upgraded to support 802.1X directly, great. If not, consider installing a new RADIUS server that handles 802.1X and forwards vanilla RADIUS Access Requests to your existing server. This is one way to ease into 802.1X without upsetting your existing infrastructure. When using EAP-TLS, TTLS, or PEAP, you'll also need a digital certificate for your RADIUS server. Finally, plan supplicant software and user credential rollout to WLAN stations. Most organizations should plan a phased rollout. Reconfigure your access points to allow but not require 802.1X port access control and verify back-end communication between access points and your RADIUS server. Reconfigure a test station to use 802.1X and one of your selected EAP types and watch what happens. Sniffing traffic on both the wireless and wired sides of the access point may be necessary to debug initial authentication problems. Once you have verified your 802.1X implementation, begin upgrading user stations incrementally, starting with stations that have the lowest cost of entry and/or the most pressing need for improved WLAN security. ConclusionWhen planning your rollout, keep in mind that EAP types like EAP-TTLS and PEAP are not yet finalized. Additional EAP types are also still being defined, including EAP-SIM (to support GSM devices with SIM cards) and EAP-SecurID (to support two-factor hardware tokens). In fact, both EAP and 802.1X are still being tweaked to overcome issues encountered by early adopters. As these solutions mature, you should anticipate the need to upgrade installed 802.1X/EAP software. To manage this cost, you may want to start with a modest 802.1X rollout. Learn the ropes and get familiar with both the benefits and challenges of 802.1X. Start improving WLAN security with 802.1X today and you'll be better prepared for company-wide deployment in the future. |
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs 