Insecurity has been the dirty little secret holding back wireless technology in large enterprise networks.
The 3-year-old Wired Equivalent Privacy (WEP) protocol has been discredited so thoroughly that its authentication and encryption capabilities are not considered sufficient for use in enterprise networks. In response to the WEP fiasco, many wireless LAN vendors have latched onto IEEE 802.1x standard to help authenticate and secure both wireless and wired LANs. The wildcard with 802.1x protocol is interoperability.
In our testing, which accounts for the first public 802.1x interoperability event, we evaluated how well the various pieces of a wireless network work together according to this security specification. All told, we tested five 802.1x supplicants (client-side software) from Cisco Systems Inc., Funk Software Inc., Hewlett-Packard Co., Meetinghouse Data Communications Inc. and Microsoft Corp.; six 802.11b wireless access points from 3Com Corp., Cisco, Enterasys Networks Inc., Karlnet Inc., Symbol Technologies Inc. and Wind River Systems Inc.; two 802.1x wired switches from Cisco and HP acting as authenticators, and five Remote Authentication Dial-in User Service (RADIUS) based authentication servers handling the 802.1x queries from Funk, HP, Interlink Electronics Inc., Microsoft and Secure Computing Corp.
Overall, we found that while 802.1x design and configuration is complicated on the front end, once the network is up and running, interoperability between supplicants and authentication servers is pretty good. The major limitations come in the area of authentication methods supported and in platform support for different operating systems and authentication databases.
This iLabs testing is not intended to be a comprehensive interoperability test encompassing all the 802.1x wireless products on the market. But with the amount of testing we did complete, you can glean quite a bit of wireless network deployment advice.
Cooking Up an 802.1x Net
Any 802.1x deployment requires five components. Supplicant software runs on the device needing authentication. An 802.1x-compatible network adapter also is required on the client. That sounds simple, but while most supplicants work with most network adapters, it's not a given by any means.
The supplicant needs to talk to an authenticator, such as a wireless access point or an 802.1x-enabled LAN switch.
The authentication is handled by an authentication server, normally a RADIUS server that has been extended to support the Extensible Authentication Protocol (EAP). Technically, it doesn't have to be a RADIUS server and even can be built in to the wireless access point on the low end. But any enterprise sized wireless deployment is going to have a RADIUS server as part of the picture because it centralizes authentication and it scales well.