By Lisa Phifer
September 10, 2003
Finding EAP In Products
There are technical differences between EAP-TTLS and PEAP, but the most important difference to organizations deploying 802.1X pertains to product support. EAP-TTLS was originally proposed by Funk Software; PEAP was proposed by Cisco and Microsoft. EAP-TTLS requires installation of third-party “802.1X Supplicant” software, while PEAP requires a recent Windows operating system or service pack. The following table summarizes current support for common EAP types used with wireless LANs.
|RADIUS Server Support||Cisco, FreeRADIUS, Funk, Interlink, Meetinghouse, Microsoft, Radiator||Funk, Interlink, Meetinghouse, Radiator||Cisco, Funk, Interlink, Meetinghouse, Microsoft, Radiator||Cisco, FreeRADIUS, Funk, Interlink, Meetinghouse, Radiator|
|Supplicant Client Support||Cisco, Funk, Meetinghouse, Microsoft, Open1X||Alfa-Ariss, Funk, Meetinghouse, Open1X||Funk, Meetinghouse, Microsoft||Cisco, Funk, Meetinghouse|
|Embedded OS Support||Windows XP/2000/2003||n/a||Windows XP/2000/2003||n/a|
|Platforms supported by Third-Party Supplicants||MacOS X, BSD, Linux, Win32||MacOS X, BSD, Linux, Win32||Win32||Win32|
Clearly, most RADIUS vendors are trying to support as many EAP types as possible to satisfy growing demand. EAP-TLS still has the broadest support, but it’s not hard to find commercial servers that support others. The real trick is to make sure that your RADIUS server, access point, and supplicant are compatible: check the versions of 802.1X and EAP supported by all three. In particular, when using PEAP, verify that the authentication method you want to use is uniformly supported, because Cisco and Microsoft have distributed different (incompatible) versions of PEAP.
The most challenging part of deploying 802.1X involves installing and configuring client-side software and user credentials. Here are a few hints:
- If you use Cisco gear, you’ll find that LEAP, EAP-TLS, and PEAP are installed on every station along with Cisco’s Aironet Client Utility. Whenever you upgrade Cisco card drivers, you’re automatically upgrading 802.1X/EAP support as well.
- If your desktops and laptops run new Windows operating systems, you’ll find EAP-TLS included in every copy of Windows XP and PEAP in XP Service Pack 2. These EAP types are also included in Windows 2000 service packs and ship with Windows 2003. Whenever you run Windows Update on these operating systems, you’re also upgrading Microsoft’s embedded 802.1X/EAP supplicant.
- If you use devices that run older/different operating systems and non-Cisco cards, you’ll need to find and install third-party supplicant software. As seen above, your RADIUS vendor is a good place to start looking. You’ll also want to consider how to upgrade systems in the field once you’ve deployed this supplicant software.
- Organizations with heterogeneous networks may want to install the same supplicant on every system (even Windows XP/2000 PCs) to create a uniform environment. Such organizations face a tough decision about when and how to deploy 802.1X, since they must strike a balance between uniform coverage, added security, and software administration costs.
Planning Your 802.1X Rollout
If you’re serious about deploying 802.1X, start by deciding how to authenticate WLAN users. Consider your network’s existing security policy and user credentials. For example, do you already issue VPN client software and certificates to laptop users? If so, EAP-TLS can reuse those certificates. Do you need to support WLAN access by visitors? If so, you may want password-based authentication — at least for visitors. In fact, you don’t need to pick just one EAP type or authentication method. Most 802.1X-enabled RADIUS servers can support multiple types, and will request configured types in priority order until each station offers up acceptable credentials. Both PEAP and EAP-TTLS can be used with client-side passwords or certificates.
Next, look for products that support 802.1X and your chosen EAP types, starting with your access points. The access points as ‘athenticators’ play a smaller role than supplicants or authentication servers, but they’re a mandatory ingredient. If your access points don’t yet support 802.1X interaction with RADIUS servers, then you’ll need to upgrade your access point firmware, buy new hardware, or put your 802.1X plans on hold. 802.1X support is common in enterprise-grade access points, but entry-level products sold to residential customers (like those from Linksys or D-Link) don’t usually need to interact with RADIUS servers.
Once you’ve nailed access point support, take a look at your authentication server(s). If existing servers can be upgraded to support 802.1X directly, great. If not, consider installing a new RADIUS server that handles 802.1X and forwards vanilla RADIUS Access Requests to your existing server. This is one way to ease into 802.1X without upsetting your existing infrastructure. When using EAP-TLS, TTLS, or PEAP, you’ll also need a digital certificate for your RADIUS server.
Finally, plan supplicant software and user credential rollout to WLAN stations. Most organizations should plan a phased rollout. Reconfigure your access points to allow but not require 802.1X port access control and verify back-end communication between access points and your RADIUS server. Reconfigure a test station to use 802.1X and one of your selected EAP types and watch what happens. Sniffing traffic on both the wireless and wired sides of the access point may be necessary to debug initial authentication problems.
Once you have verified your 802.1X implementation, begin upgrading user stations incrementally, starting with stations that have the lowest cost of entry and/or the most pressing need for improved WLAN security.
When planning your rollout, keep in mind that EAP types like EAP-TTLS and PEAP are not yet finalized. Additional EAP types are also still being defined, including EAP-SIM (to support GSM devices with SIM cards) and EAP-SecurID (to support two-factor hardware tokens). In fact, both EAP and 802.1X are still being tweaked to overcome issues encountered by early adopters. As these solutions mature, you should anticipate the need to upgrade installed 802.1X/EAP software. To manage this cost, you may want to start with a modest 802.1X rollout. Learn the ropes and get familiar with both the benefits and challenges of 802.1X. Start improving WLAN security with 802.1X today and you’ll be better prepared for company-wide deployment in the future.