By George Ou
An emerging standard in wireless security finally is giving IT departments a way to fend off key-sniffing hackers and users who install their own unauthorized access points. In part one of this two-part series, we discussed the new 802.1x/EAP combination that allows you to manage and distribute encryption keys on a user- and session-level basis.
Now we’ll tell you what it takes to actually build an 802.1x/EAP solution. Because the 802.1x and EAP are open standards, implementation is left to individual vendors. As a result, four types of EAP implementations have emerged as “standards.” They all share the same underlying 802.1x and EAP architecture, but the ways they implement the EAP are different.
Cisco was one of the first vendors to market with its Lightweight EAP (LEAP) “standard” in December 2000. This is a very proprietary solution and initially worked only with Cisco Client 802.11 cards, RADIUS Servers, and Cisco Access Points. Recently, Cisco began working with other vendors to make its equipment and software LEAP-compliant. You now have some choice when choosing Client 802.11 PC cards, and at least four other RADIUS solutions support LEAP. Some laptop vendors even support this solution natively with their integrated 802.11 adaptors.
Implementation of LEAP is relatively simple. Cisco’s ACS/AR RADIUS servers can easily be tied into your LDAP or Active Directory domain, and user authentication is transparent. The only downside to this approach is that your password policy better be strong, because LEAP is vulnerable to man-in-the-middle dictionary attacks. But with a strong password policy, LEAP is a fairly convenient and secure solution.
EAP-TLS (Transport Layer Security) is an open standard that’s supported by nearly every vendor. As the most common denominator implementation of EAP, its strength is that it requires the use of public key infrastructure (PKI). PKI makes EAP-TLS extremely secure with the use of asymmetric public and private keys on the RADIUS and client sides.
The only downside is that implementing a PKI may seem a bit intimidating, although it really isn’t. Microsoft is firmly entrenched in this camp and has put native OS client support for EAP-TLS in Windows XP. Later this year, Microsoft will release support for Windows 2000, NT, 98, and Pocket PC. For the time being, you would have to use a third-party solution, such as that provided by Meetinghouse Data Communications (MDC), for non-XP operating systems.
Even Cisco is now recommending dual support for LEAP and EAP-TLS. EAP-TLS is a fallback solution with version 3 of Cisco ACS RADIUS because Cisco realizes that not everything is compatible with LEAP. The cost of implementing EAP-TLS is almost negligible if you use Microsoft RADIUS and PKI technology. This is because Microsoft’s Internet Authentication Service (IAS) RADIUS is bundled with the Windows 2000 Server operating system and is as stable as any other solution, in my experience.
Because Microsoft recommends that you implement IAS on your domain controllers, there’s no cost of an extra server and no additional licensing costs. The required PKI can be addressed by implementing the Certificate Authority (CA) service, also bundled with Windows 2000 Server. Licensing and server cost is kept to a minimum. Overall, this is one of the most secure and inexpensive solutions. The only initial burden is setting up a PKI in your organization, but keep in mind that PKI certificates can be used for many other purposes, such as L2TP VPN. All of this is just a one-time setup, and once EAP-TLS is fully implemented, it’s almost completely transparent to the user.
EAP-MD5 is the least secure version of EAP because it uses usernames and passwords for authentication and is vulnerable to dictionary attacks. In addition, EAP-MD5 does not support Dynamic WEP keys, which is a critical liability.
EAP-TTLS (Tunneled Transport Layer Security) is Funk software’s version of EAP that uses Funk’s Odyssey or Steel Belted RADIUS server. It’s also supported by third-party client software from vendors, such as MDC. Funk’s selling point is that PKI certificates are required only on the authentication server but not on the clients. In general, this is considered almost as secure as EAP-TLS while making deployment simpler.
Cisco, Microsoft, and RSA Security Inc. are currently proposing a new RFC for PEAP (Protected Extensible Authentication Protocol) to address the needs of organizations that want a more convenient password-based solution instead of the certificate-based solution used by EAP-TLS. Similar to EAP-TTLS, it will require a certificate for the authentication server but not for the clients, and it will use an encrypted channel for password transmission to mitigate dictionary attacks.
Requirements for 802.1x and EAP
To use 802.1x and EAP, you must have the following components:
- Client wireless network adaptor compatible with 802.1x
- Client access software capable of EAP
- Wireless access point (base station) compatible with 802.1x and EAP
- RADIUS compatible with EAP
Most 802.11 wireless adaptors support 802.1x natively with Windows XP. With older operating systems, 802.1x driver support depends on the adaptor’s vendor. For Cisco LEAP-specific support, you’ll most likely need to purchase a Cisco PC card. Very few 802.11 adaptors support LEAP natively. Some of the Intersil Prism Wireless chipsets will support LEAP with the aid of third-party utilities. Some laptop vendors even have integrated 802.11 support for 802.1x and all four flavors of EAP, eliminating the need for bulky and expensive 802.11 cards. Most of the Orinoco adaptors cost $60 to $100, while the Cisco adaptors run between $110 and $140. Getting an integrated adaptor from a laptop vendor with full EAP support will cost about $50 to $60.
For Client Access software, Windows XP provides OS native support for EAP-TLS. Microsoft will add support for older Windows operating systems such as 2000, 98, NT, and Pocket PC by the end of 2002. For LEAP support, Cisco's Client software was the only solution for some time. Third-party solutions such as that provided by MDC can offer EAP support for any of the four EAP types. Cisco's Client is bundled with its Wireless Adaptors while some Integrated Wireless Solutions bundle the MDC solution.
For access points, only industrial-grade solutions will support 802.1x and EAP-TLS, such as those from Agere (a Lucent spin-off), Cisco, and Intel. However, LEAP currently works only on Cisco access points. These high-end access points cost between $400 and $1,000, depending on the features included. This is a bit more expensive than the SOHO solutions that cost between $100 and $200, but you get vastly superior features, including Dynamic WEP, better antennas, and sometimes even dual-band 802.11a and 802.11b capabilities.
For RADIUS capabilities, you can use FreeRADIUS on Linux (although support is shaky), Cisco's ACS/AR RADIUS, Funk Software's Odyssey or Steel Belted RADIUS, Interlink Networks, Open Systems Consultants, and Microsoft IAS (bundled with Windows 2000 Server). Pricing for the Linux and Microsoft Solutions are virtually free since you run IAS on your existing domain controllers. The other solutions range between $1,000 and $4,000. It’s important to note that all these RADIUS solutions support EAP-TLS. LEAP is supported by all but Microsoft. EAP-TTLS is supported only by Funk's solution.
PKI is required for the EAP-TLS and EAP-TTLS solutions. Microsoft Windows 2000 Server has the CA service bundled with the OS, so pricing is extremely attractive. Much of the PKI can be put onto your existing Windows 2000 servers. You can also purchase certificates from public CAs such as VeriSign, but that’s not recommended for practicality and pricing issues. To learn more about PKI and certificate authorities, I suggest you read the Microsoft white papers on PKI and articles here on TechRepublic.
Cisco and Agere
While Cisco has a proprietary version of EAP, Agere uses its own proprietary encryption scheme, AS2000, that completely bypasses WEP and EAP while using 802.1x. However, both Cisco and Agere, like nearly all other vendors, support EAP-TLS.
As you can see, you have quite a few EAP choices, depending on your preferred platform. You can even bypass the EAP portion altogether if you go with Agere’s proprietary AS2000 solution. But be warned that 802.1x and EAP will eventually be ratified into the 802.11i specifications. For most of you, the choice is between Cisco’s LEAP (dominant market share), the standardized and super secure EAP-TLS solution with native server and client OS support, and Funk’s EAP-TTLS. All have their own appeal.
The choice may be easier if you already are committed to many of the required components I listed. Just keep in mind that if you choose a proprietary solution, EAP-TLS should be implemented as a fallback solution for maximum compatibility.