Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are You Using 802.1X?

Posted by Cliff on from the solving-the-problems-of-802.11 dept.

WirelessMan asks "I work for a certain university in the US, and our IT department has just deployed IEEE 802.1x authentication for our wireless network. One of the benefits is that all users' sessions are encrypted using tumbling WEP keys. One of the (major) drawbacks is the 'newness' of 1x. As far as I can tell (Google, etc) there aren't a whole lot of places out there who have taken the plunge. Google it, or check out this brief description. Does the Slashdot community have any experience with 1x?"

"Here's our story: we're using Windows 2003 servers (for IAS) and PEAP/MSCHAPv2. We're not offering support for Windows clients prior to 2000 (even though clients do exist for 98/ME,etc). Windows 2000 supposedly has builtin support after SP3, but on June 10, Microsoft released a WEP patch that breaks 1x! (At least for our implementation...) Windows XP SP1 works in most cases, but certain onboard-wireless chipsets (Intel) don't work, regardless of OS. I heard that staff struggled with and finally successfully installed a 3rd party client for RedHat 9, and I'm told there's also a client for Mac OS 10.2.

As far as I can tell, the network guys did their homework--I promise--but this deployment is beginning to look like a disaster! Do you have any wisdom to share about how to pull victory from the clutches of shameful defeat? I realize my question is rather broad and vague ... but I'm really interested to see what discussion comes up. Thanks!"

6 of 239 comments (clear)

  1. Testing... Testing... by ErikTheRed · · Score: 4, Interesting
    "Looks like the network guys did their homework..."

    Did "homework" include a reasonable test implementation? Anything that affects your infrastructure in such a drastic way should probably be banged on for several weeks with at least a dozen guinea pigs (assuming you don't have a test lab in these days of cost cutting).
    --

    Help save the critically endangered Blue Iguana
  2. Purdue's Solution by mjlizzad · · Score: 5, Interesting

    Take a look at what Purdue University does. They use a Cisco VPN client that is available on win/mac/linux/sun, and ties in with the student accounts to verify access. If you aren't using the VPN client, you are redirected to download it automagically. http://www.itap.purdue.edu/airlink/ This is the best solution I have seen.

    1. Re:Purdue's Solution by Anonymous Coward · · Score: 5, Interesting

      Actually, the VPN solution, while effective, can be a management pain in the butt -- especially if you have users that wander from AP to AP that may or may not service the same subnet. Plus, almost always its going to be a proprietary solution of some sort, meaning you're locked into a vendor and may face future compatibility issues.

      With 802.1x properly implemented, there's little reason to continue using VPN. I have seen a combination of VPN and .1x, but that is merely because using plain WEP doesn't meet DoD standards for encryption of unclassified data over an open medium.

  3. make any card work with 1x! by rlthomps-1 · · Score: 3, Interesting

    I know a lot of people rag on 1x because it isn't supported by every POS WiFi card out there but the security enhancement you get is really indispensible espeically when you consider that your average corporate WEP network is no safer than my linksys AP at home.

    A really great client for getting multiple cards to work on 1x networks is the Aegis client from Meetinghouse Their supplicant will take many standard WiFi cards and allow them to use 1x.

    Our IT dept doesn't support it (most probably won't) but if you're a frustrated user who doesn't want to buy a new card for a 1x network they've got a 15 day demo which should give you enough time to figure out if it works for you.

  4. Should I be using 802.1x? by Erisian+Pope · · Score: 3, Interesting

    I'm running a public WI-FI access point and I've had several people tell me that I should look into one of these encryption methods. Personally, I don't get it. If you're using WI-FI for your internal network then I understand, smb passwords flying around, people dropping into your NFS system, but for simple, public internet access does it really matter?

    It seems to me that this type of encryption may not even belong at the connection level. Any type of encryption is going to add significant overhead so shouldn't be up to the application to use make secure connections as needed? For most web browsing, who cares if the signal is intercepted, if you're sending passwords or credit info you should be using https anyway. Likewise IMAP, POP3, FTP and SMTP, use the SSL wrapped alternatives.

    Is there something I'm missing here? Shouldn't it generally be up to the app to determine if the overhead of encryption is required.

  5. Re:Another Question... by galimore · · Score: 4, Interesting

    Check out the open1x project.

    http://open1x.sourceforge.net

    I'm not only a client, I'm also a developer. ;)