To use 802.1x and EAP, you must have the following components:
1. Client wireless network adaptor compatible with 802.1x
2. Client access software capable of EAP
3. Wireless access point (base station) compatible with 802.1x and EAP
4. RADIUS compatible with EAP
5. PKI
Most 802.11 wireless adaptors support 802.1x natively with Windows XP. With older operating systems, 802.1x driver support depends on the adaptor's vendor. For Cisco LEAP-specific support, you'll most likely need to purchase a Cisco PC card. Very few 802.11 adaptors support LEAP natively. Some of the Intersil Prism Wireless chipsets will support LEAP with the aid of third-party utilities. Some laptop vendors even have integrated 802.11 support for 802.1x and all four flavors of EAP, eliminating the need for bulky and expensive 802.11 cards. Most of the Orinoco adaptors cost $60 to $100, while the Cisco adaptors run between $110 and $140. Getting an integrated adaptor from a laptop vendor with full EAP support will cost about $50 to $60.
For client access software, Windows XP provides OS native support for EAP-TLS. Microsoft will add support for older Windows operating systems such as 2000, 98, NT, and Pocket PC by the end of 2002. For LEAP support, Cisco's client software was the only solution for some time. Third-party solutions such as that provided by MDC can offer EAP support for any of the four EAP types. Cisco's client is bundled with its wireless adaptors while some integrated wireless solutions bundle the MDC solution.
For access points, only industrial-grade solutions will support 802.1x and EAP-TLS, such as those from Agere (a Lucent spin-off), Cisco, and Intel. However, LEAP currently works only on Cisco access points. These high-end access points cost between $400 and $1,000, depending on the features included. This is a bit more expensive than the SOHO solutions that cost between $100 and $200, but you get vastly superior features, including Dynamic WEP, better antennas, and sometimes even dual-band 802.11a and 802.11b capabilities.
For RADIUS capabilities, you can use FreeRADIUS on Linux (although support is shaky), Cisco's ACS/AR RADIUS, Funk Software's Odyssey or Steel-Belted RADIUS Server, Interlink Networks, Open Systems Consultants, and Microsoft IAS (bundled with Windows 2000 Server). Pricing for the Linux and Microsoft solutions are virtually free since you run IAS on your existing domain controllers. The other solutions range between $1,000 and $4,000. It's important to note that all these RADIUS solutions support EAP-TLS. LEAP is supported by all but Microsoft. EAP-TTLS is supported only by Funk's solution.
PKI is required for the EAP-TLS and EAP-TTLS solutions. Microsoft Windows 2000 Server has the Certificate Authority service bundled with the OS, so pricing is extremely attractive. Much of the PKI can be put onto your existing Windows 2000 servers. You can also purchase certificates from public certificate authorities such as VeriSign, but that's not recommended for practicality and pricing issues.
As you can see, you have quite a few EAP choices, depending on your preferred platform. You can even bypass the EAP portion altogether if you go with Agere's proprietary AS2000 solution. But be warned that 802.1x and EAP will eventually be ratified into the 802.11i specifications. For most of you, the choice is between Cisco's LEAP (dominant market share), the standardized and super secure EAP-TLS solution with native server and client OS support, and Funk's EAP-TTLS. All have their own appeal.
The choice may be easier if you already are committed to many of the required components I listed. Just keep in mind that if you choose a proprietary solution, EAP-TLS should be implemented as a fallback solution for maximum compatibility.
Does your company rely on WEP to secure its wireless LAN? TalkBack below or e-mail us with your thoughts.
[an error occurred while processing this directive]
