Set up 802.1X in sixty minutes - Part 2
Today - getting clients and access points secure
By Joel Snyder, Network World | Network World US | Published: 01:00, 12 April 2010
Yesterday, we described the start of a challenge: could we set up 802.1X authentication for a wireless network in under one hour? In 28 minutes, we set up a RADIUS server. What would happen next?
Determine the proximity
With the server side done, your next task is to get the wireless access point ready for 802.1X. It's possible to use "pure" 802.1X authentication, which was the earliest implementation of 802.1X over wireless. With pure 802.1X, you use 802.1X to authenticate, but then plain old Wired Equivalent Privacy for encryption. However, access points that support 802.1X will also support Wi-Fi Protected Access (WPAv1). A few also will support 802.11i, the IEEE final standard for wireless security, also called WPAv2.
Because WPAv1 is commonly available and considered very secure, your best bet is to dive right into WPAv1 with 802.1X authentication.
Our next step was making our access point 802.1X-aware and building a secure channel between the access point and the RADIUS server. We pulled an access point off the shelf, a Proxim AP-4000 802.11a/b/g device that received high praise in Network World's wireless security test in 2004. With the AP-4000, adding 802.1X authentication requires going to two screens to fill out information. On one we put in our RADIUS server and the shared secret that authenticates the access points to the RADIUS server. If your access point does not have a fairly secure channel to the RADIUS server (for example, if they're not on the same LAN switch), it's important to pick a nice long shared secret of 20 characters or more.
On the second screen of the AP-4000, we enabled WPA with 802.1X authentication and rebooted the access point. Because the access point doesn't participate actively in the 802.1X authentication, you don't have to configure in all of the miscellaneous 802.1X parameters, such as authentication method, when you set up the access point.
- Stopwatch: 33 minutes
Turn on the Inspiron
Because XP already has WPA and 802.1X built in for wireless security, we didn't have to install any software on the Windows laptop. However, we had to wade through the XP client configuration menus. These are attached to the wireless adapter. Our test laptop, a Dell Inspiron with a built-in wireless card, saw the AP-4000 but didn't know how to connect. By default, Windows will want to use a digital certificate to authenticate. That's good security, but didn't fit into our deployment plans. Next, in Windows preferences, is using the credentials you used to log on to XP - again, not what we wanted. Setting up 802.1X authentication meant clicking on a few property pages.
- Stopwatch: 38 minutes
One for the Aegis
If you use the built-in Windows client, you'll also have to create instructions for users to add the wireless network to their list of networks. We didn't count that in our time, but our quick cheat sheet would add up to about two pages of instructions. Fortunately, it's a one-time effort, and if you have users already using the Windows wireless client, you've already done about half of the work in getting them set up. For a more elegant solution, you can use a third-party 802.1X and WPA client that lets you easily pre-load profiles.
Most wireless cards include 802.1X capability in their built-in tools, typically using the Meetinghouse Communications Aegis 802.1X client and a vendor-provided configuration GUI. Cisco Systems Inc. is one of the few that don't use Meetinghouse, but it does provide its own 802.1X client as part of the Cisco wireless driver kit. The problem with using a third-party client is that not everyone will have the same wireless card, and every vendor makes up its own GUI to drive the 802.1X supplicant configuration. As laptops with built-in wireless approach the 100 percent mark, you might find that the slightly greater complexity of the built-in Windows client balances out the necessity to maintain instructions for every brand of wireless card anyone has ever bought.
With RADIUS server, access point and client configured, it's time for the smoke test: Will it work? In our case, the answer was a resounding "no." We wasted 14 minutes looking for ways to increase the debugging on the built-in Windows client. Fortunately, looking at the logs on the RADIUS server solved our problem - we forgot to set up a list of Windows groups that were allowed to log on. With a few clicks, we were finally up and running with XP. Without disappointment, you cannot appreciate victory - and we were victorious with time to spare.
- Stopwatch: 52 minutes
Tweaks of the trade
Flushed with success, we discovered that we had cheated a little bit. It turns out that the Microsoft 802.1X client wasn't fully configured. As part of our debugging, we disabled certificate verification, a serious no-no in any 802.1X environment. When we turned that feature back on, the client behaved erratically. The laptop we tested had Dell's own wireless configuration tool in it. We were able to use the Dell-provided version of the Meetinghouse Aegis client to connect with certificate validation. After finishing the last stage of our speed implementation of 802.1X, we went back and tested further with the Microsoft built-in client. Eventually, it started working but the behaviour wasn't 100 percent predictable and might prove frustrating for some users. You'll have to make your own decision on the trade-off between the convenience of one client for all Windows users, whether wireless or wired, vs. the more sophisticated, but every-company-is-different user interfaces that each wireless card vendor provides.
- Stopwatch: 56 minutes
A bite of the Apple
With 4 minutes to spare, you might want to tackle Mac clients. Apple Computer included 802.1X capability in the base operating system. The Apple client is even easier to use than Windows. Selecting our test 802.1X network out of the list of wireless networks brought up a dialog box asking for a username and password. The OS X server identified our test wireless network as "WPA Enterprise," which is one of the marketing terms for the combination of WPA and 802.1X. The OS X system then showed us the digital certificate we had received for the RADIUS server and asked us to approve it. That's a critical step, because if you don't know what you're connecting to, you're just handing your username and password over. A few seconds later, we were merrily surfing away - a little tired, a little wired and very secure.
- Stopwatch: 59 minutes
Switching into overtime
If you've got 5 more minutes, you can also turn on wired 802.1X on LAN switches from all major vendors. In a wired environment, 802.1X doesn't give you encryption, but it does give strong authentication. With 802.1X in a wired world, the switch is configured much like an access point. It needs to know where the RADIUS server is and a shared secret, and that's about it. Do it right and champagne falls from the heavens, doors open and velvet ropes will part. Plus you get a more secure wired LAN.
We started with an HP 2524 switch already configured into our network. With our Hewlett-Packard switch, enabling 802.1X took five commands, because we wanted the simple case. Many wired switch vendors have a variety of scenarios for different virtual LANs, depending on whether a port is unauthenticated, successfully authenticated or fails authentication. We resisted this complication and got 802.1X up very quickly.
On the Windows laptop, we again used Microsoft's built-in 802.1X supplicant. This time, we didn't have the option of using the add-on client provided by Dell because the Dell client only worked with wireless cards. Microsoft's client can handle either case using the exact same interface.
In the world of Macintosh, 802.1X on a wired LAN requires on additional step. We launched a program called Internet Connect that is used to define 802.1X connections and Point-to-Point Tunneling Protocol, IPSec and Layer 2 Tunneling Protocol VPNs. With Internet Connect, we defined an 802.1X connection, selecting the Ethernet port and gave our username and password. Once that's in place, all we had to do is click "Connect" to successfully authenticate to the HP switch.
Did all that make sense?
If not, check our WLAN security glossary