Are You Using 802.1X?

WirelessMan asks "I work for a certain university in the US, and our IT department has just deployed IEEE 802.1x authentication for our wireless network. One of the benefits is that all users' sessions are encrypted using tumbling WEP keys. One of the (major) drawbacks is the 'newness' of 1x. As far as I can tell (Google, etc) there aren't a whole lot of places out there who have taken the plunge. Google it, or check out this brief description. Does the Slashdot community have any experience with 1x?"

"Here's our story: we're using Windows 2003 servers (for IAS) and PEAP/MSCHAPv2. We're not offering support for Windows clients prior to 2000 (even though clients do exist for 98/ME,etc). Windows 2000 supposedly has builtin support after SP3, but on June 10, Microsoft released a WEP patch that breaks 1x! (At least for our implementation...) Windows XP SP1 works in most cases, but certain onboard-wireless chipsets (Intel) don't work, regardless of OS. I heard that staff struggled with and finally successfully installed a 3rd party client for RedHat 9, and I'm told there's also a client for Mac OS 10.2.

As far as I can tell, the network guys did their homework--I promise--but this deployment is beginning to look like a disaster! Do you have any wisdom to share about how to pull victory from the clutches of shameful defeat? I realize my question is rather broad and vague ... but I'm really interested to see what discussion comes up. Thanks!"

Testing... Testing...

[ErikTheRed]

"Looks like the network guys did their homework..."

Did "homework" include a reasonable test implementation? Anything that affects your infrastructure in such a drastic way should probably be banged on for several weeks with at least a dozen guinea pigs (assuming you don't have a test lab in these days of cost cutting).

Purdue's Solution

[mjlizzad]

Take a look at what Purdue University does. They use a Cisco VPN client that is available on win/mac/linux/sun, and ties in with the student accounts to verify access. If you aren't using the VPN client, you are redirected to download it automagically. http://www.itap.purdue.edu/airlink/ This is the best solution I have seen.

make any card work with 1x!

[rlthomps-1]

I know a lot of people rag on 1x because it isn't supported by every POS WiFi card out there but the security enhancement you get is really indispensible espeically when you consider that your average corporate WEP network is no safer than my linksys AP at home.

A really great client for getting multiple cards to work on 1x networks is the Aegis client from Meetinghouse [mtghouse.com] Their supplicant will take many standard WiFi cards and allow them to use 1x.

Our IT dept doesn't support it (most probably won't) but if you're a frustrated user who doesn't want to buy a new card for a 1x network they've got a 15 day demo which should give you enough time to figure out if it works for you.

Re:Purdue's Solution

[Anonymous Coward]

RPI has been using the same solution for a while now, I think almost a year and it works really well. I have had no problem with it on win2k,XP or Redhat 8. http://www.union.rpi.edu/wireless/

No plunge here...

[ChilyWily]

Well, I work for a large company. We're just getting 802.11b with Cisco's LEAP authentication fully deployed throughout the country. I doubt they will move forward (unless Cisco tells them to).

*sigh*

Re:Purdue's Solution

[Anonymous Coward]

Actually, the VPN solution, while effective, can be a management pain in the butt -- especially if you have users that wander from AP to AP that may or may not service the same subnet. Plus, almost always its going to be a proprietary solution of some sort, meaning you're locked into a vendor and may face future compatibility issues.

With 802.1x properly implemented, there's little reason to continue using VPN. I have seen a combination of VPN and .1x, but that is merely because using plain WEP doesn't meet DoD standards for encryption of unclassified data over an open medium.

Re:question for /. - 802.1x or a firewall

[mplex]

While there are multiple solutions and types of 1x, they do seem to work together. We support EAP-TTLS, TLS, PEAP, and LEAP on our network just by enabling it on the server side. Mac address filtering would provide way to many headaches for the number of users we have to support. Fortunately, with Cisco hardware, they manage to support more OS's than most. As soon as there is an open source PEAP client, I don't even think it will be an issue anymore. That's seems to be the direction things are going considering future windows support.

Another feature of 1x is that it provides fairly good encryption through rotating keys. This is much better than 40/128bit encryption. In the end, it comes down to support issues and decent security. We have several linux/BSD users on our network but they all have to use cisco hardware. Other than the cost, it works great, but our network is 150+ APs, so this sort of solution might not work on a small scale.

Should I be using 802.1x?

[Erisian Pope]

I'm running a public WI-FI access point and I've had several people tell me that I should look into one of these encryption methods. Personally, I don't get it. If you're using WI-FI for your internal network then I understand, smb passwords flying around, people dropping into your NFS system, but for simple, public internet access does it really matter?

It seems to me that this type of encryption may not even belong at the connection level. Any type of encryption is going to add significant overhead so shouldn't be up to the application to use make secure connections as needed? For most web browsing, who cares if the signal is intercepted, if you're sending passwords or credit info you should be using https anyway. Likewise IMAP, POP3, FTP and SMTP, use the SSL wrapped alternatives.

Is there something I'm missing here? Shouldn't it generally be up to the app to determine if the overhead of encryption is required.

Re:Another Question...

[galimore]

Check out the open1x project.

http://open1x.sourceforge.net [sourceforge.net]

I'm not only a client, I'm also a developer. ;)

MSFT campus/subs use 802.1x

[blastedtokyo]

The Microsoft campus uses 802.1x (2500 access points) as well as all subsidiaries (1200 APs). It does PKI over Radius and not EAP. From what I've seen it's fine for PCs but mobile clients take a while to support it (Windows CE NICs are mostly up to speed but a lot of the others aren't).

There's a good piece [nwfusion.com] in the June NetworkWorldFusion talking about MSFT, Cisco and few other large installations.

Re:make any card work with 1x!

[galimore]

Linux users should also check out the open1x project. (http://open1x.sourceforge.net) as it has support for most of the major EAP types, and it's free.

To people supporting 802.1x:

If certain vendors aren't supporting 802.1x, don't buy their cards.

If they don't support their card, why should you?

Make a recommendation to your users that they should stay away from certain cards.

Use a wireless gateway

[JRHelgeson]

I have been working in the wireless networking industry for several years. I've worked with 802.11x since its early inception. Everyone thought it was going to be some great panacea. I knew it wouldn't because it was still trying to address the security issue at layer two. Jim Geier, (the individual that wrote the article referenced in the initial /. posting) and I have had discussions at length on this topic.

802.11x is little more than Cisco's LEAP technology that has been turned into an industry standard.

Trying to secure a network at layer two is extremely dificult. You're not dealing with enough intelligence and flexibility. Taking it up another layer to layer three (network layer) gives you much greater flexability.

You need to look into the wireless gateway technologies [reefedge.com]. Its easiest to think of these as being a firewall and VPN concentrator combined into one box.

Just as an internet firewall is designed to secure internal corporate networks from external internet communications, the wireless gateway once again segments your network with wired and wireless.

Encryption takes place at layer 3 using IPSec when required. Using a wireless gateway, you can have a guest user log into your network as a guest, and the gateway will allow them to access the internet, and only the internet -- and you can throttle their bandwidth down to 56kbps or whatever you'd like. However, if I were to login to the network as an internal user, the gateway would build a 3DES IPSec tunnel out to my PC before it would allow me to access ANY internal network resources.

It allows you the flexibility to give different users various levels of security based upon their login. The best part is that it does not require a client to be loaded on any end user device, and because it operates at layer 3, it is layer 2 agnostic - meaning it doesn't matter what kind of Access Point or radio card you're using.

I've deployed these solutions in hospitals, universities, even classified government facilities. (WEP is not FIPS certified, 3DES is)

Re:No WEP, Yes IPSec.

[Vakara]

No, but somebody sitting on the street outside the building can't plug into it either.

The main flaw with VPN based wireless security is that you are only protecting and securing the nodes inside the wired network. It's trivially easy to get an IP address on your wireless network (either no security or "mac" ha! security) and you have to have an IP address before you can make a VPN connection. I hope you have your PC locked down in a very secure manner because you cannot stop people from trying to hack at your publicly exposed IP interface.

With 802.1x security they cannot even send a packet to you unless they've been authenticated using PKI.

Architecture is the key in securing WLAN

[Damork]

802.1X, TKIP, WPA and so on are all nice methods to control WLAN access, but even they cannot correct a louzy WLAN architecture.

The problem is that in several, even most places, people are connecting their access points directly to their intranet and then rely only on the WEP key, MAC address lists, 802.1X and the WiFi security standard of your choice. In this kind of architecture when a standard is broken or the access point is compromised or just mis-configured, the attacker is able to gain access instantly to the protected network.

In our university [www.tut.fi] this was the starting situation. Every department had their own WLAN with own WEP keys and MAC lists and some didn't even have those, just completely open network without any kind of access control. Not to mention about radio channel allocation or planning. Instead of the seamless, combined radio coverage there were several separate networks often disturbing each other.

A project was then started to define a common architecture for building wireless network securely and to provide that seamless combined radio coverage instead of all these kind of wild networks. What we decided was that WLAN networks are hostile networks and they should be treated as such. In the new architecture [atm.tut.fi] the organisation wide WLAN network is separated outside protected networks so that even if the access control of the wireless networks is breached, the only access the attacker directly gains is the access to the Internet, not to organisation's protected networks.

We didn't choose to use WEP key and MAC access control lists because they were useless. We didn't yet integrate 802.1X as a access control, because the terminals aren't yet ready for it. Instead we chose to build our WLAN network by using a captive portal to control the traffic demanding less security and VPNs to protect the traffic demanding more. By providing several means to authenticate we achieved the better interoperability and usability of the WLAN network than before.

With this architecture we are now able to server several different terminals, utilise old access points not capable of WEP encryption and support the customised solutions the different departments want to use. The architecture supports even Radius-based WLAN roaming [atm.tut.fi] so that people between organisations may use their home user accounts for authentication in the roaming partner's public access network. The same roaming architecture [atm.tut.fi] can be then used even if the WLAN network is in the future migrated to the 802.1X.

Why not IPsec?

[Anonymous Coward]

Why not use IPsec instead?

It's more standardized, it's available on more clients, and if you have a large number of connections through hosts you can use crypto accelerator boards on your routers (running BSD or Linux).

The main issue would be distributing public-key certificates. This could be automated though: have a web page where the netops staff fill in fields for the user infromation (including a valid email address), generate the certificate witha Perl script/CGI and enter all the information in a database. The generated certificate is then emailed (in clear-text, I know) to the user with a link to a PDF on how to setup their client.

For student accounts you could have the certificates expire on a yearly basis so you don't have old ones lining about. I don't know about the expiration of staff/faculty certificates though. You could perhaps generate a certifacte-revocation list (CRL) and transfer that to your routers using something like scp/scp/rsync.

1x is not widely deployed so people are still trying to figure things out. You're basically a beta tester for the rest of us. :>