In At last, real wireless LAN security, we discussed the new 802.1x/EAP combination that allows you to manage and distribute encryption keys on a user- and session-level basis.

Now we'll describe what it takes to actually build an 802.1x/EAP solution. Because 802.1x and EAP are open standards, implementation is left to individual vendors. As a result, four types of EAP implementations have emerged as "standards." They all share the same underlying 802.1x and EAP architecture, but the ways they implement the EAP are different.

LEAP

[an error occurred while processing this directive]

Cisco was one of the first vendors to market with its Lightweight EAP (LEAP) "standard" in December 2000. This is a very proprietary solution and initially worked only with Cisco client 802.11 cards, RADIUS Servers, and Cisco Access Points. Recently, Cisco began working with other vendors to make its equipment and software LEAP-compliant. You now have some choice when choosing Client 802.11 PC cards, and at least four other RADIUS solutions support LEAP. Some laptop vendors even support this solution natively with their integrated 802.11 adaptors. Implementation of LEAP is relatively simple. Cisco's ACS/AR RADIUS servers can easily be tied into your LDAP or Active Directory domain, and user authentication is transparent. The only downside to this approach is that your password policy better be strong, because LEAP is vulnerable to man-in-the-middle dictionary attacks. But with a strong password policy, LEAP is a fairly convenient and secure solution.

EAP-TLS

EAP-TLS (Transport Layer Security) is an open standard that's supported by nearly every vendor. As the most common denominator implementation of EAP, its strength is that it requires the use of public key infrastructure (PKI). PKI makes EAP-TLS extremely secure with the use of asymmetric public and private keys on the RADIUS and client sides.

The only downside is that implementing a PKI may seem a bit intimidating, although it really isn't. Microsoft is firmly entrenched in this camp and has put native OS client support for EAP-TLS in Windows XP. Later this year, Microsoft will release support for Windows 2000, NT, 98, and Pocket PC. For the time being, you would have to use a third-party solution, such as that provided by Meetinghouse Data Communications (MDC), for non-XP operating systems.

Even Cisco is now recommending dual support for LEAP and EAP-TLS. EAP-TLS is a fallback solution with version 3 of Cisco ACS RADIUS because Cisco realizes that not everything is compatible with LEAP. The cost of implementing EAP-TLS is almost negligible if you use Microsoft RADIUS and PKI technology. This is because Microsoft's Internet Authentication Service (IAS) RADIUS is bundled with the Windows 2000 Server operating system and is as stable as any other solution, in my experience.

Because Microsoft recommends that you implement IAS on your domain controllers, there's no cost of an extra server and no additional licensing costs. The required PKI can be addressed by implementing the Certificate Authority service, also bundled with Windows 2000 Server. Licensing and server cost is kept to a minimum. Overall, this is one of the most secure and inexpensive solutions. The only initial burden is setting up a PKI in your organization, but keep in mind that PKI certificates can be used for many other purposes, such as L2TP VPN. All of this is just a one-time setup, and once EAP-TLS is fully implemented, it's almost completely transparent to the user.

EAP-MD5
EAP-MD5 is the least secure version of EAP because it uses user names and passwords for authentication and is vulnerable to dictionary attacks. In addition, EAP-MD5 does not support Dynamic WEP keys, which is a critical liability.

EAP-TTLS
EAP-TTLS (Tunneled Transport Layer Security) is Funk software's version of EAP that uses Funk's Odyssey or Steel-Belted RADIUS Server. It's also supported by third-party client software from vendors, such as MDC. Funk's selling point is that PKI certificates are required only on the authentication server but not on the clients. In general, this is considered almost as secure as EAP-TLS while making deployment simpler.
TechRepublic provides insight, advice, and technical information written by IT professionals for IT professionals.
Have the top IT experts by your side today--FREE!

1 2	| Next page

[an error occurred while processing this directive]

[an error occurred while processing this directive]