Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are You Using 802.1X?

Posted by Cliff on from the solving-the-problems-of-802.11 dept.

WirelessMan asks "I work for a certain university in the US, and our IT department has just deployed IEEE 802.1x authentication for our wireless network. One of the benefits is that all users' sessions are encrypted using tumbling WEP keys. One of the (major) drawbacks is the 'newness' of 1x. As far as I can tell (Google, etc) there aren't a whole lot of places out there who have taken the plunge. Google it, or check out this brief description. Does the Slashdot community have any experience with 1x?"

"Here's our story: we're using Windows 2003 servers (for IAS) and PEAP/MSCHAPv2. We're not offering support for Windows clients prior to 2000 (even though clients do exist for 98/ME,etc). Windows 2000 supposedly has builtin support after SP3, but on June 10, Microsoft released a WEP patch that breaks 1x! (At least for our implementation...) Windows XP SP1 works in most cases, but certain onboard-wireless chipsets (Intel) don't work, regardless of OS. I heard that staff struggled with and finally successfully installed a 3rd party client for RedHat 9, and I'm told there's also a client for Mac OS 10.2.

As far as I can tell, the network guys did their homework--I promise--but this deployment is beginning to look like a disaster! Do you have any wisdom to share about how to pull victory from the clutches of shameful defeat? I realize my question is rather broad and vague ... but I'm really interested to see what discussion comes up. Thanks!"

9 of 239 comments (clear)

  1. Get SP4 for W2K by mike300zx · · Score: 5, Informative

    Get SP4 which gets the .1x support back.

  2. Purdue's Solution by mjlizzad · · Score: 5, Interesting

    Take a look at what Purdue University does. They use a Cisco VPN client that is available on win/mac/linux/sun, and ties in with the student accounts to verify access. If you aren't using the VPN client, you are redirected to download it automagically. http://www.itap.purdue.edu/airlink/ This is the best solution I have seen.

    1. Re:Purdue's Solution by Anonymous Coward · · Score: 5, Interesting

      Actually, the VPN solution, while effective, can be a management pain in the butt -- especially if you have users that wander from AP to AP that may or may not service the same subnet. Plus, almost always its going to be a proprietary solution of some sort, meaning you're locked into a vendor and may face future compatibility issues.

      With 802.1x properly implemented, there's little reason to continue using VPN. I have seen a combination of VPN and .1x, but that is merely because using plain WEP doesn't meet DoD standards for encryption of unclassified data over an open medium.

  3. yes, the security it provides is worth it by puneetb · · Score: 5, Informative

    not using even WEP is simply asking for trouble, using basic WEP (pre-shared keys) is a little better, but its still vulnerable and has the hassles of key management (each time you change the keys you need to update all clients). 802.1x is the way to go.

    There is some support on OSes for 802.1x (Windows XP has it built it for some authentication methods, for Windows 2000 you can download it from the Microsoft website, for Linux and BSD use xsupplicant (http://www.open1x.org).

    One important consideration is what 'EAP method' you use for security. 802.1x is a framework for security and you can tie-in different methods within this framework for doing the actual authentication and key generation.

    If you use EAP-TLS then there is can be a problem of configuring certificates on client machines, though its pretty secure once setup. You can use the cisco proprietary LEAP with Cisco AP's and clients or go for a solution based on PEAP or EAP-TTLS.

    LEAP only requires you to have a user-name/password type of setup and can be easily tied to existing authentication infrastructure (Eg: the windows network in your LAB). PEAP and EAP-TTLS need only a username and password if you use MS-CHAPV2 or some such method, though you still need valid server-side certificates.

    Puneet

  4. Re:I guess you learn something every day. by VAXman · · Score: 5, Informative

    You're thinking of "802.11x" which generally means any of 802.11b, 802.11a, or 802.11g (wireless protocols). "802.1x" is a security protocol, not a wireless protocol per se. Very confusing, I know...

  5. Re:Universities and such by mplex · · Score: 5, Informative

    You also can't broadcast the universities data to the world. It's definately a balance, but there are solutions that can work without being too restrictive. We use Funk software's Odyssey server at our University, and it supports a wide range of authentication types(TLS, TTLS, LEAP, PEAP). We have managed to get 98% of our users online without any trouble. Cisco hardware works fine on most OS's (Linux, BSD, pocketpc). There is also an open source TLS authentication method, but that involves issueing client certificates.

    Like I said before, there has to be some balance between security and academic freedom, but there must be some sort of security policy in any large wireless network. I think what the industry really needs is a standard rather than 5 or more different solutions with marginal advantages over one another. Then we can work on getting that standard supported everywhere (PEAP I hope). Until then, wireless security will always be hit or miss or none at all.

  6. University of Utah - 802.1x Campus Standard by galimore · · Score: 5, Informative

    Hi,

    I work at the University of Utah. We're currently rolling out 802.1x.

    My building has already rolled out 802.1x on about 36 access points. We've been running for over a month and a half.

    We've got a lot of people interested in what we're doing. We're using a decentralized model that allows us to let various departments use their user accounts everywhere else on campus (that is using 802.1x).

    Check out our whitepaper for more information:

    http://utahgeeks.sourceforge.net/projects/Wireless Whitepaper.pdf

    The paper covers various issues. Keep in mind that the paper is not quite done yet, but it does have a lot of useful information.

    We're officially supporting Mac OS X, Windows 98, Windows 2k, and Windows XP. We're not officially supporting Linux, but my boss and I are lead developers on the open1x project (http://open1x.sourceforge.net).

    It has Linux and Mac OS X support. We support TTLS, TLS, PEAP (in CVS), MD5, and we're going to be implementing EAP_AKA pretty soon.

    If you're interested in the specifics please check out some of our support pages:

    http://www.laptop.lib.utah.edu/global/support/inde x.html

    The biggest problem has been support for various cards on Windows. The support link above lists the cards we've tested.

    We're currently only supporting Airport on Mac OS X due to the lack of a public API from Apple. (Please let apple know that you want a public wireless API so we can support more cards... ;)

    We're using a campus site license of the Meetinghouse supplicant for Mac OS X, and Windows. We're using Radiator, a perl based (VERY NICE!) radius server. It's 802.1x implementation rocks.

    More info on Radiator: http://www.open.com.au

    802.1x is becoming the University of Utah campus standard. All future wireless purchases made with student task force moneys will be required to be 802.1x compatible.

    Please let us know if you have any questions regarding our setup.

  7. Re:Should I be using 802.1x? by galimore · · Score: 5, Informative

    You're a little bit confused about how 802.1x ties into everything...

    a) 802.1x was designed for port based access, not wireless. It was adapted for wireless. The keying method is WEP. The encryption tunnel for authentication happens VERY quickly. very little overhead.

    b) 802.1x allows you to know WHO is on your network. Do you really want to have an open wide public network that some terrorist could potentially get on to talk to his buddies anonymously... not me... ;)

    c) Once again... the encryption for the authentication happens very quickly. We're talking miniscule amounts of time. The keying on the card is WEP, but the keys can be per-user, and can rotate at a specified interval. If you're using WEP at all your keys should be rotating no less than every 10 minutes, otherwise it would be very easy to crack.

    d) 802.1x *IS* using SSL for its encryption... besides the fact that that portion only happens for authentication... as I said before WEP is used on the cards.

    802.11i will provide per-packet keying, which is when you should really start to worry about the overhead...

  8. Re:Universities and such by galimore · · Score: 5, Informative

    Um... 802.1x *IS* an IEEE standard... people just need to start implementing it correctly... ;)

    Also, not only is there a TLS open source standard... the open1x project (http://www.open1x.org) has a TTLS release, and PEAP in CVS.

    PEAP is a horrid ripoff of TTLS in my opinion.

    P.S. The FUNK guys wrote the TTLS RFC. ;)

    M$ and Cisco wrote the PEAP RFC, but neither of them follow it, or each other.