Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Mobile & Wireless

In Mobile & Wireless:
News
Reviews
Features
How-tos
Slideshows

Top How-Tos / Advice articles

Put tight authentication on your WLAN

802.1X and the EAPs it works with.

By Joanie Wexler, Network World | Network World US | Published: 01:00, 16 June 2005

This article one in a short series of primers on deploying wireless LAN security, will talk about using authentication to keep your WLAN secure.

WLAN security, as mentioned in recent articles, comprises several components working together to tackle different types of security threats. One component is strong authentication: making sure users are who they claim to be before they can access the network.

Start with the framework
To that end, the IEEE 802.1X protocol has become the standard authentication framework in enterprise-class WLANs. By "framework," I mean kind of a "handshaking model" among clients, access points and authentication databases for authenticating and controlling user traffic.

802.1X ties an IETF-standard protocol called Extensible Authentication Protocol (EAP) to the wireless (and wired) LAN and supports multiple authentication methods. The EAP methods (the exact procedure for authentication) bear acronyms such as EAP-TTLS and PEAP.

If this sounds complex, our two-part guide to setting up 802.1X in sixty minutes may convince you otherwise.

Choosing an EAP
To distinguish among these pieces, EAP is the transport method for carrying the authentication method (EAP-TTLS, PEAP). You choose the authentication method yourself - the one you think will work best in your environment, both from the point of view of security strength and management, to verify the authenticity of users (we have a brief guide to choosing an EAP). As for 802.1X and EAP protocols, Wi-Fi products marked as "WPA2-certified" or "802.11i-certified" by the Wi-Fi Alliance will support these components automatically.

The EAP method you choose must be supported in software both in your WLAN clients and in your RADIUS authentication server; if there isn't a match, the authentication process won't work.

Most Wi-Fi client software, also called "supplicant" software in Wi-Fi security vernacular, supports many different EAP methods, as do many available RADIUS authentication servers, giving you a range of choices. Still, if there isn't a match, find out if you can install your EAP method of choice onto the authentication server you are using or wish to deploy.

Legacy devices need special treatment
Note: When I say that "most client software" supports multiple EAP methods, I'm talking primarily about laptop supplicants. There are still many legacy data devices and voice handsets that are behind the times in their ability to support the latest Wi-Fi security.

It's a good idea to cluster all older or otherwise memory-challenged devices that can't support your primary security policy into a class (or classes) of their own, and create "best-you-can-do" security policies for these devices.

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.