Forgot your password?
typodupeerror
Technology

Are You Using 802.1X? 239

Posted by Cliff
from the solving-the-problems-of-802.11 dept.
WirelessMan asks "I work for a certain university in the US, and our IT department has just deployed IEEE 802.1x authentication for our wireless network. One of the benefits is that all users' sessions are encrypted using tumbling WEP keys. One of the (major) drawbacks is the 'newness' of 1x. As far as I can tell (Google, etc) there aren't a whole lot of places out there who have taken the plunge. Google it, or check out this brief description. Does the Slashdot community have any experience with 1x?"

"Here's our story: we're using Windows 2003 servers (for IAS) and PEAP/MSCHAPv2. We're not offering support for Windows clients prior to 2000 (even though clients do exist for 98/ME,etc). Windows 2000 supposedly has builtin support after SP3, but on June 10, Microsoft released a WEP patch that breaks 1x! (At least for our implementation...) Windows XP SP1 works in most cases, but certain onboard-wireless chipsets (Intel) don't work, regardless of OS. I heard that staff struggled with and finally successfully installed a 3rd party client for RedHat 9, and I'm told there's also a client for Mac OS 10.2.

As far as I can tell, the network guys did their homework--I promise--but this deployment is beginning to look like a disaster! Do you have any wisdom to share about how to pull victory from the clutches of shameful defeat? I realize my question is rather broad and vague ... but I'm really interested to see what discussion comes up. Thanks!"

This discussion has been archived. No new comments can be posted.

Are You Using 802.1X?

Comments Filter:
  • Answer (Score:4, Funny)

    by Anonymous Coward on Wednesday July 02, 2003 @09:58PM (#6355219)
    No.
    Next question please.
  • by mrpuffypants (444598) * <`mrpuffypants' `at' `gmail.com'> on Wednesday July 02, 2003 @10:00PM (#6355228)
    Personally I doubt why you would go with a system that makes you scrounge for clients on different OS's just to implement at a university. In the corporate workd you have the luxury of saying "If you want to use out network you will use "n" hardware and nothing else."

    At the university level you have people using about 300 different configurations and OS's. If seems like you are making if just that more difficult for those users that get use out of the network that they pay for through their tuition.
    • by mplex (19482) on Wednesday July 02, 2003 @10:57PM (#6355503)
      You also can't broadcast the universities data to the world. It's definately a balance, but there are solutions that can work without being too restrictive. We use Funk software's Odyssey server at our University, and it supports a wide range of authentication types(TLS, TTLS, LEAP, PEAP). We have managed to get 98% of our users online without any trouble. Cisco hardware works fine on most OS's (Linux, BSD, pocketpc). There is also an open source TLS authentication method, but that involves issueing client certificates.

      Like I said before, there has to be some balance between security and academic freedom, but there must be some sort of security policy in any large wireless network. I think what the industry really needs is a standard rather than 5 or more different solutions with marginal advantages over one another. Then we can work on getting that standard supported everywhere (PEAP I hope). Until then, wireless security will always be hit or miss or none at all.
      • by galimore (461274) on Wednesday July 02, 2003 @11:24PM (#6355601)
        Um... 802.1x *IS* an IEEE standard... people just need to start implementing it correctly... ;)

        Also, not only is there a TLS open source standard... the open1x project (http://www.open1x.org) has a TTLS release, and PEAP in CVS.

        PEAP is a horrid ripoff of TTLS in my opinion.

        P.S. The FUNK guys wrote the TTLS RFC. ;)

        M$ and Cisco wrote the PEAP RFC, but neither of them follow it, or each other.
  • Uhm, YES (Score:1, Informative)

    by Anonymous Coward
    First post

    But yes, we use it, have been for quite some time - about November of last year - works great, and is pretty good - requires RADIUS or Active Directory/IAS.
  • Get SP4 for W2K (Score:5, Informative)

    by mike300zx (523956) on Wednesday July 02, 2003 @10:02PM (#6355239)
    Get SP4 which gets the .1x support back.
    • by Bios_Hakr (68586) <xptical.gmail@com> on Thursday July 03, 2003 @01:07AM (#6356081) Homepage
      Yep, just tell them to connect to the network and download the latest service pack.

      Oh, what's that? Your network card doesn't work? Well, like I said, just get on the LAN and download this pack.

      Yes, I know your NIC is non functional. Like I said, just get online and download this service pack...

      • "If you're crazy, just report it and you'll be taken off flight duty."

        "I'm crazy."

        "... But since you know you're crazy, you really must not be crazy. Get back to duty."

        (I know it's not exacting ;P)
  • by ErikTheRed (162431) on Wednesday July 02, 2003 @10:02PM (#6355242) Homepage
    "Looks like the network guys did their homework..."

    Did "homework" include a reasonable test implementation? Anything that affects your infrastructure in such a drastic way should probably be banged on for several weeks with at least a dozen guinea pigs (assuming you don't have a test lab in these days of cost cutting).
  • Purdue's Solution (Score:5, Interesting)

    by mjlizzad (686363) on Wednesday July 02, 2003 @10:08PM (#6355262)
    Take a look at what Purdue University does. They use a Cisco VPN client that is available on win/mac/linux/sun, and ties in with the student accounts to verify access. If you aren't using the VPN client, you are redirected to download it automagically. http://www.itap.purdue.edu/airlink/ This is the best solution I have seen.
    • Re:Purdue's Solution (Score:2, Interesting)

      by Anonymous Coward
      RPI has been using the same solution for a while now, I think almost a year and it works really well. I have had no problem with it on win2k,XP or Redhat 8. http://www.union.rpi.edu/wireless/
    • Re:Purdue's Solution (Score:5, Interesting)

      by Anonymous Coward on Wednesday July 02, 2003 @10:32PM (#6355370)
      Actually, the VPN solution, while effective, can be a management pain in the butt -- especially if you have users that wander from AP to AP that may or may not service the same subnet. Plus, almost always its going to be a proprietary solution of some sort, meaning you're locked into a vendor and may face future compatibility issues.

      With 802.1x properly implemented, there's little reason to continue using VPN. I have seen a combination of VPN and .1x, but that is merely because using plain WEP doesn't meet DoD standards for encryption of unclassified data over an open medium.
      • Solution: Your wireless has its own subnet(s). There's no better way... VPN is THE way to secure wireless.
        • Solution: Your wireless has its own subnet(s). There's no better way... VPN is THE way to secure wireless.

          Is it? This is an honest question; Ive avoided all 802.* over concerns that WEP is weak encryption, so I dont really know. Please consider the following scenarios:

          1. You implement a WEP strategy
          2. Everyone uses SSH or VPN to reach your network
          3. Your network is secure

          Or:

          1. You implement a WEP strategy
          2. You have a policy requiring everyone to use the network via SSH or VPN
          3. Maybe everybody complies
          • Re:Purdue's Solution (Score:5, Informative)

            by afidel (530433) on Thursday July 03, 2003 @02:16AM (#6356313)
            802.11(a,b,g) can be made secure by 802.1X today and by 802.11i going forward. 802.1X sidesteps the weaknesses of WEP by only using keys for a short duration (typically ten or fewer minutes) and using different keys per user. This keeps the amount of data transmitted using any given key low enough that the weakness of WEP becomes moot because there is insufficient data for the key to be weakened (the origional paper talked about gigs of data which would take many many hours to collect even on a near saturated .11b link). In addition 802.1X implements TKIP which is basically per packet hashing to thwart playback or insertion techniques. Basically 802.1X is Cisco's LEAP opened up and standardized for the whole industry. For the most secure of installations Cisco still recommends using VPN over wireless, but then they also recommend it for wired networks in some situations =)
            • Re:Purdue's Solution (Score:3, Informative)

              by Anonymous Coward
              Yeah, I am anonymous, just too lazy to register on a forum that I rarely have time to read....

              802.1X is NOT derived from LEAP. LEAP is derived from draft 8 of 802.1X (Draft 11 became the standard). And LEAP is also Cisco's proprietary EAP method that runs just fine over standard 802.1X thank you.

              For the long haul, LEAP is weak and attackable. I think AKA will be our on secret based EAP method that is safe to use. A secret within a tunnel (PEAP/MSCHAPv2 for example) is open to man in the middle attack
    • University of Illinois at Urbana uses this too, though you must download both the client and key before you allowed on one of the few offical wireless lans for undergrads. Most buildings that have wlans are MAC restricted to grad students and professors only.
    • Cisco's VPN is also Penn State's solution to the (limited) rollout of campus VPN. It is working fairly well in my building, now they just need to throw more access points up around campus.

      Finkployd
    • The Cisco VPN client isn't available on Linux unless you are using x86-compatible CPUs. All other architectures are left in the dust, as usual, with the naive Linux-x86 users boasting that it supports Linux.
  • I'm in a similar environment, 802.1x, PEAP/MSCHAPv2 (and DHCP)... Now I have to bring along UTP wires for my laptop running Linux... There is this "Aegis" client, but it doesn't seem to be working too well.. Anyone knows any other solutions out there?
  • by puneetb (679679) on Wednesday July 02, 2003 @10:11PM (#6355278) Homepage
    not using even WEP is simply asking for trouble, using basic WEP (pre-shared keys) is a little better, but its still vulnerable and has the hassles of key management (each time you change the keys you need to update all clients). 802.1x is the way to go.

    There is some support on OSes for 802.1x (Windows XP has it built it for some authentication methods, for Windows 2000 you can download it from the Microsoft website, for Linux and BSD use xsupplicant (http://www.open1x.org).

    One important consideration is what 'EAP method' you use for security. 802.1x is a framework for security and you can tie-in different methods within this framework for doing the actual authentication and key generation.

    If you use EAP-TLS then there is can be a problem of configuring certificates on client machines, though its pretty secure once setup. You can use the cisco proprietary LEAP with Cisco AP's and clients or go for a solution based on PEAP or EAP-TTLS.

    LEAP only requires you to have a user-name/password type of setup and can be easily tied to existing authentication infrastructure (Eg: the windows network in your LAB). PEAP and EAP-TTLS need only a username and password if you use MS-CHAPV2 or some such method, though you still need valid server-side certificates.

    Puneet
  • by rlthomps-1 (545290) on Wednesday July 02, 2003 @10:12PM (#6355282) Homepage
    I know a lot of people rag on 1x because it isn't supported by every POS WiFi card out there but the security enhancement you get is really indispensible espeically when you consider that your average corporate WEP network is no safer than my linksys AP at home.

    A really great client for getting multiple cards to work on 1x networks is the Aegis client from Meetinghouse [mtghouse.com] Their supplicant will take many standard WiFi cards and allow them to use 1x.

    Our IT dept doesn't support it (most probably won't) but if you're a frustrated user who doesn't want to buy a new card for a 1x network they've got a 15 day demo which should give you enough time to figure out if it works for you.
    • Linux users should also check out the open1x project. (http://open1x.sourceforge.net) as it has support for most of the major EAP types, and it's free.

      To people supporting 802.1x:

      If certain vendors aren't supporting 802.1x, don't buy their cards.

      If they don't support their card, why should you?

      Make a recommendation to your users that they should stay away from certain cards.

  • 802.1x works (Score:4, Informative)

    by Merlisk (450712) on Wednesday July 02, 2003 @10:12PM (#6355283) Homepage
    I used it on my last contract. 802.1x with WindowsXP SP1 works just fine. We used PEAP and Microsoft's IIS server for RADIUS authentication.

    We wanted PEAP since it doesn't require manual certificates.

    It took a lot of tweaking on the server, a small bit on the AP, but the client settings were just what you'd expect them to be.

    I didn't try it with OS X (even though I used a Powerbook on the job). Take a look at http://www.mtghouse.com/

    Per the message boards I've read, their client should work just fine.
  • I'm recently went from wired to 802.11g. However, it wasn't without a struggle. I did a good deal of research but still got suckered into buying a Broadcom-based card only supported in Windows. As it turns out, Broadcom doesn't support Linux well (Or at all, in this case). To add to the confusion, most of the cards that I checked out that had once boasted Linux compatibility had been 'upgraded' to use a Broadcom chip. Even 802.11b hardware that used the supported Prism2 chipset is damn near impossible to fi
    • My advice: Go with a nice ethernet bridge and don't get burned by bad / non-existent drivers. I ended up with a Linksys WET54G, which just so happened to be reviewed by THG earlier. It works flawlessly after I plugged it into my NIC under Linux. It also leaves my options open for other OSes that don't even have as much support as Linux. So long as your network card works (And interconnects via RJ45), you'll have a reliable wireless connection using the bridge.
      One of the big advantages of going wireless
      • Of course it's nice having fewer wires, especially if you're on a laptop.

        I'm on a desktop, however, and already have half a dozen other wires tangled up. The selling point for me was not having to drill any holes through my cieling to run cable to the router upstairs.
  • i alway thought that 802.1x was a set of protocols - i always thoughs the x was a varaible... i know better now. :(
  • using dlink's new firmware for the 900ap+ which supposedly supports 1x and funk softwares radius server and winxp sp1 i thought i would give it all a try...lets just say its not as easy as i would have expected. and in my experience, if its not easy to impliment then people wont use it. let alone how picky you have to be with OS's,clients,hardware that will actually support it.
  • by cscx (541332)
    Isn't IPSec a possible solution?
    • The standard access point is only a 133 Mhz processor. You could use it further upstream possibly, but as in for integration into the AP, it would cost a lot more per AP. AES is going to be the de facto encrpytion for wireless. Unfortunately it will take more than a firmware upgrade to the ap due to intense CPU usage.
      • Re:IPSec (Score:3, Informative)

        by Zebra_X (13249)
        The IPSec tunnel is established between the two computers communicating. There would be no reason for the AP to do any processing other than what it already does - moving packets.
    • Re:IPSec (Score:3, Insightful)

      by Zebra_X (13249)
      right now IPSec should be the solution. Given what the question asker just posted it's pretty clear that 802.1x is "half baked" as far as a standard goes. IPSec howerver has been out for a while and it's evils are pretty well known. Certainly not easy to setup but as far as ubiquity goes, it's available on almost every platform. In addition - IPSec enhances not only the security of your wireless connections, it also enhances the security of the wired network. With a good certificate distribution infrastruct
    • Re:IPSec (Score:2, Informative)

      by shokk (187512)
      What we've done is placed a small firewall just outside our main firewall on the same ISP subnet. All clients must use the same VPN software they use when traveling to then access the network through the main firewall. Rules in place on the small firewall only allow authenticated traffic hubbed through the main firewall and nothing else. So you don't even get a free ride on Internet access if you break into the network. 802.1x is definitely next and we may or may not keep the IPSec.
  • We just rolled out 802.1x at Baylor University this week. Where are you located? I know they are also rolling out at Memphis.edu and Kstate.edu in the fall. E-mail me if I can be of any help...
  • No plunge here... (Score:2, Interesting)

    by ChilyWily (162187)
    Well, I work for a large company. We're just getting 802.11b with Cisco's LEAP authentication fully deployed throughout the country. I doubt they will move forward (unless Cisco tells them to).

    *sigh*
  • auburn university is using a cisco vpn solution to secure the node-to-access-point communications. the vpn client is available for windows, macos, and linux.
  • by Sikmaz (686372) on Wednesday July 02, 2003 @10:33PM (#6355371)
    Outside of the Access-points we used all pre-existing equipment. We already had a Enterprise Root Cert Authority setup on our Root Win2k DC. We then created a cert for wireless access. We deployed the cert by using policies and used IAS to authenticate the users against a remote access policy that verified users group memberships.

    For Hardware we used Cisco 1100's and Zyair B1000's (Http://www.zyxel.com). The B1000's have a beta firmware to support EAP-TLS and cost less than $100 bucks!

    We only allow Win2k and Windows XP clients to use wireless, setting up the few win98 clients we have is too much of a pain!

    With Windows XP Service Pack1 the user will get a prompt that says there is a wireless network available. Included in that is a check box to use 802.1x authentication and since the default is Certificates all the user does is click connect and they are on!

    If you have clients other than windows clients you can still use the win2k cert server, just have then download the cert via the web manager. IT will be http://certservername/certsrv. Works great.
    • This sounds very similar to what Microsoft was recommending at their Technet events a couple of months ago:

      http://www.connect-ms.com/technet/Resources/TNT1 -6 6_Clean.ppt

      It's supposedly what they use on their corporate network (along with smart cards).

      Our Technet guy plainly stated that the MS-branded wireless APs don't support 1x. So he whipped out a D-Link AP that does.
  • We are a school going through the same question - should we setup 802.1x on everything or should we just put a firewall in place that you have to register you NIC with to do anything?

    For the FW solution, it is possible to falsify a MAC, but not something your average user would do (though VMWare makes it trivial).

    For the 802.1x solution, you have the issues of different cards, drivers, implentations, and then the question of people who wanna run Linux, *BSD, etc... can't just cut them/me off :)
    • While there are multiple solutions and types of 1x, they do seem to work together. We support EAP-TTLS, TLS, PEAP, and LEAP on our network just by enabling it on the server side. Mac address filtering would provide way to many headaches for the number of users we have to support. Fortunately, with Cisco hardware, they manage to support more OS's than most. As soon as there is an open source PEAP client, I don't even think it will be an issue anymore. That's seems to be the direction things are going co
    • While changing MAC address in a Linux system is easy, for Windows 2000 and XP based systems also you can use a tool like SMAC.
      http://www.klcconsulting.net/smac/

      Couple this with ethereal (where you first sniff
      out a valid MAC address) and getting network
      access on a MAC based authentication scheme is trivial.

      Also, 802.1x will provide you encryption and dynamic keys, something a simple firewall based
      solution wont be able to do.

      Puneet
    • registering NIC's is worthless because MAC spoofing is trivial, so definitly go with 802.1X. Do your homework on hardware and you shouldn't have much problems, most businesses don't have the problems of mixed equipment and OS's that a university does.
      • Of course it doesn't help that not all of our hardware supports 802.1x..to much legacy equipment (though it's being replaced as funds allow).

        I suppose that some sort of VPN would be another way - anything that forces the user to authenticate vs trusting that who they were last week (MAC) is the same as this week.

        Something to read up on this weekend.
  • I work at a community college. We are going with the 802.1x w/ MS PEAP for our initial WLAN rollouts. Currently this is for employee (mostly execs) only. Management made the decision to be a MS shop years ago so 802.1x PEAP turned out to be the solution for us right now.

    However, we are still researching WLAN solutions for when the decision is made to provide wireless access for the student VLANs.

    Ideally an enterprise solution would

    * be as transparent as possible to the users
    * NOT involve installing a cli
  • In my experience (taking my iBook to work) the Aegis client for mac is less than perfect. It has some issues in handling the dynamic WEP keys. Xsupplicant seems fairly immature, and I haven't yet been able to get it to compile on my mac.

    My impression is that this is a much needed, but still nubile technology. I wouldn't be surprised to see stronger support flourish in the 'alternate' (non-MSFT) OSes within the next year or so. Microsoft seems to be a bit ahead of the game on this one.

  • No WEP, Yes IPSec. (Score:5, Informative)

    by dietlein (191439) <(dietlein) (at) (gmail.com)> on Wednesday July 02, 2003 @10:37PM (#6355402)
    I don't know about you who use WEP, but please STOP.

    It is BROKEN [berkeley.edu].

    Use IPSec. There are many tutorials for using IPSec in tunnel mode as a replacement for WEP. Google it [google.com]. I wrote the 3rd or 4th one down - it isn't that hard, guys. Please don't use WEP, it really isn't smart.
    • Actually if your rotation schedule is short enough for 802.1X then the listener won't record enough packets for the vulnerabilities to be a problem.
    • by metatruk (315048) on Thursday July 03, 2003 @12:21AM (#6355874)
      IPSec is great and all, but there are a few disadvantages to using it:

      1) It doesn't work on many platforms such as pre OS X 10.2, pre Win2k, or many "stock" Linux installs. (Linux requires a kernel patch, though this will change with kernel 2.6)

      2) It is difficult for users to configure. There's no GUI in OS X to configure it, and setting it up in Windows involves installing some extra stuff from MS to make it work.

      3) Implementation compatbility? I don't know how much of this is still an issue, but I imagine that it comes up...

      4) Ethernet layer security. There's still no security that would prevent people from having access to the ethernet layer. The point of WEP was to prevent people without the key from joining the network. Controlling access to the ethernet layer is important for security because anyone with access (Which would be the case with WEP turned off) can still do nasty things like flood the network with broadcast traffic, send unsolicited arp replies to the router to DoS different machines, etc...

      in short, IPSec requires too much configuration on the client end. Unless you can put together a nifty script for each platform that needs to use the network, it will be too difficult for most users to configure.
      • Ethernet layer security ???

        Really, and you do have ethernet security on your fixed network ?

        • by Vakara (166457)
          No, but somebody sitting on the street outside the building can't plug into it either.

          The main flaw with VPN based wireless security is that you are only protecting and securing the nodes inside the wired network. It's trivially easy to get an IP address on your wireless network (either no security or "mac" ha! security) and you have to have an IP address before you can make a VPN connection. I hope you have your PC locked down in a very secure manner because you cannot stop people from trying to hack at
          • Tt's usually damn easy to get into a building by social engineering ...

            Do you know that, in the IPsec (VPN) specifications and in the solution we are using, there's the possibility of having the gateway to require the client to configure itself as to deny all other incoming connections ?

    • by pedrow (657193)
      Well, with cool tools like airjack, even your nice ipsec encrypted traffic over open non-wepped wireless link is susceptible to getting DOSed. All you have to do is send a broadcast disassociation packet to knock everyone off the AP. 802.1x or other rotating WEP key schemes will make things like airsnort largely useless in that there won't be enough 'interesting' traffic(initialization vectors) to make the WEP key fall out. WEP not smart? perhaps. But it's better than leaving it open. ipsec will protect t
    • Use IPSec. There are many tutorials for using IPSec in tunnel mode as a replacement for WEP. Google it. I wrote the 3rd or 4th one down - it isn't that hard, guys. Please don't use WEP, it really isn't smart.

      Actually, the smart thing to do is to use both.

      "You use WEP?!"

      Well duh, that keeps unautorized users off your network. Yeah it's crackable, but IPSec does nothing for lower-layer security. IPSec was designed for a different purpose than WEP If you want a secure network, use both.
      • "You use WEP?!"

        Well duh, that keeps unautorized users off your network. Yeah it's crackable, but IPSec does nothing for lower-layer security. IPSec was designed for a different purpose than WEP If you want a secure network, use both.


        I've noticed lately that some wireless cards and access points are starting to come out with support for AES encryption. I understand that this basically just substitutes a better encryption algorithm (AES rather than RC4) as the default packet encryption. It should do the
  • This isnt new (Score:2, Informative)

    802.1x authentication is not a new concept. It was developed many years ago for incorporation into the HP ProCurve product line for port based authentication. The good thing about 802.1x is that at least it does provide some encryption from the authenticator to the radius server. So its either this of captive portal, which is implemented into hotspot controllers to provide authentication via redirection of http requests to a website that requests user/password pairs authenticated off a radius server. Pi
  • I'd drop the encryption for a time, restrict access to web browsing...Allow e-mail but only through the universities secure https webmail server (You do have one?) and the same with any important university interfaces both staff and student based (Class registration and purchasing for example). This will allow the installed infrastructure to be used, but allow you to rollout secure technology at some point it the future... It's really all common sense...
  • by Anonymous Coward on Wednesday July 02, 2003 @10:44PM (#6355437)
    At our University we deployed 802.1x and in this
    way we reached the highest possible level of security - nobody, even the authorized personel can not log-in. This means that users have complete
    protection from hackers, viruses and similar.
  • by galimore (461274) on Wednesday July 02, 2003 @11:03PM (#6355532)
    Hi,

    I work at the University of Utah. We're currently rolling out 802.1x.

    My building has already rolled out 802.1x on about 36 access points. We've been running for over a month and a half.

    We've got a lot of people interested in what we're doing. We're using a decentralized model that allows us to let various departments use their user accounts everywhere else on campus (that is using 802.1x).

    Check out our whitepaper for more information:

    http://utahgeeks.sourceforge.net/projects/Wireless Whitepaper.pdf [sourceforge.net]

    The paper covers various issues. Keep in mind that the paper is not quite done yet, but it does have a lot of useful information.

    We're officially supporting Mac OS X, Windows 98, Windows 2k, and Windows XP. We're not officially supporting Linux, but my boss and I are lead developers on the open1x project (http://open1x.sourceforge.net [sourceforge.net]).

    It has Linux and Mac OS X support. We support TTLS, TLS, PEAP (in CVS), MD5, and we're going to be implementing EAP_AKA pretty soon.

    If you're interested in the specifics please check out some of our support pages:

    http://www.laptop.lib.utah.edu/global/support/inde x.html [utah.edu]

    The biggest problem has been support for various cards on Windows. The support link above lists the cards we've tested.

    We're currently only supporting Airport on Mac OS X due to the lack of a public API from Apple. (Please let apple know that you want a public wireless API so we can support more cards... ;)

    We're using a campus site license of the Meetinghouse supplicant for Mac OS X, and Windows. We're using Radiator, a perl based (VERY NICE!) radius server. It's 802.1x implementation rocks.

    More info on Radiator: http://www.open.com.au [open.com.au]

    802.1x is becoming the University of Utah campus standard. All future wireless purchases made with student task force moneys will be required to be 802.1x compatible.

    Please let us know if you have any questions regarding our setup.
    • The whitepaper talks about key rotation. But do you actually have this working on Linux? ie is there a card and driver that actually supports TKIP on Linux (in a WPA-compliant manner)? Is there anything on the horizon?

      A google search failed to find any information on any ongoing TKIP/WPA work for Linux...

      -roy
  • by Erisian Pope (636878) on Wednesday July 02, 2003 @11:04PM (#6355541) Homepage

    I'm running a public WI-FI access point and I've had several people tell me that I should look into one of these encryption methods. Personally, I don't get it. If you're using WI-FI for your internal network then I understand, smb passwords flying around, people dropping into your NFS system, but for simple, public internet access does it really matter?

    It seems to me that this type of encryption may not even belong at the connection level. Any type of encryption is going to add significant overhead so shouldn't be up to the application to use make secure connections as needed? For most web browsing, who cares if the signal is intercepted, if you're sending passwords or credit info you should be using https anyway. Likewise IMAP, POP3, FTP and SMTP, use the SSL wrapped alternatives.

    Is there something I'm missing here? Shouldn't it generally be up to the app to determine if the overhead of encryption is required.

    • by galimore (461274) on Wednesday July 02, 2003 @11:11PM (#6355558)
      You're a little bit confused about how 802.1x ties into everything...

      a) 802.1x was designed for port based access, not wireless. It was adapted for wireless. The keying method is WEP. The encryption tunnel for authentication happens VERY quickly. very little overhead.

      b) 802.1x allows you to know WHO is on your network. Do you really want to have an open wide public network that some terrorist could potentially get on to talk to his buddies anonymously... not me... ;)

      c) Once again... the encryption for the authentication happens very quickly. We're talking miniscule amounts of time. The keying on the card is WEP, but the keys can be per-user, and can rotate at a specified interval. If you're using WEP at all your keys should be rotating no less than every 10 minutes, otherwise it would be very easy to crack.

      d) 802.1x *IS* using SSL for its encryption... besides the fact that that portion only happens for authentication... as I said before WEP is used on the cards.

      802.11i will provide per-packet keying, which is when you should really start to worry about the overhead...
  • by PhoenixK7 (244984) on Wednesday July 02, 2003 @11:27PM (#6355616)
    At NU the IT department has deployed hotspots at a variety of locations. The campus cafe, parts of the student center, certain locations in the dorms, libraries, as well as other locations provide wireless access.

    WEP is not used to secure the network. Instead they're using VPN to provide authentication as well as secure/encrypted connections. Nothing beyond the VPN server and other clients of the AP are accessible without connecting to VPN. As an added benefit VPN allows off-campus users to use the NU mail relays, and other things that are restricted the university subnets.

    Check it out:

    http://www.tss.northwestern.edu/wireless/ [northwestern.edu]

    http://www.tss.northwestern.edu/vpn/ [northwestern.edu]
  • Speaking of 802.1x (no, we don't use it yet), I read reports that MacOS X 10.3 "supports" it, but can anyone confirm that and give some details of the support?

    Thanks.
  • for my blender... it's contents are the only thing I'm willing to broadcast over the airwaves.
  • Plenty of experience (Score:2, Informative)

    by flikx (191915)

    I have had plenty of experience with 802.1x installed at a major american university (which may be the same university the article submitter works at).

    Thanks to the 802.1x deployment, I have zero wireless networking capability under FreeBSD. Ah, that takes me back to my freshmen year of 1996.

  • I have a BSD box on my network, and I could do IPSec tunneling if I wasn't so lazy.

    But what's the best option for people who don't want to run a windows server, or a unix box, or any flavor of radius? Are there any consumer priced access points that support reasonably secure wireless networking, without an expensive server on the back end?

    Most of what I'm seeing here says that you either have to run a unix-like OS, w2k, or xp (ie., not win 9x) on the client, that you need the professional version of xp,
  • by blastedtokyo (540215) on Thursday July 03, 2003 @12:10AM (#6355809)
    The Microsoft campus uses 802.1x (2500 access points) as well as all subsidiaries (1200 APs). It does PKI over Radius and not EAP. From what I've seen it's fine for PCs but mobile clients take a while to support it (Windows CE NICs are mostly up to speed but a lot of the others aren't).

    There's a good piece [nwfusion.com] in the June NetworkWorldFusion talking about MSFT, Cisco and few other large installations.

  • by theendlessnow (516149) on Thursday July 03, 2003 @12:19AM (#6355865)
    ... another deployment of WPA!!

    Protect the upper layers not below 3

    Hack layer two... yippee! yippee!


    Since WEP 40/128 provide NO security at the high layer... people feel they're getting something
    with WPA (most won't run the required auth/radius server though.. so it's even worse).


    Layer 2 is still open. You'll have to wait until next year when the 11i crew comes out with something.


    As for a resource, use Dr. Arbaugh's new book on the subject.
    http://www.amasin.com/-/0321136209/Real- 802-11-Sec urity/

    ...well.. it's not out yet apparently... anyway, google for Arbaugh.

  • by JRHelgeson (576325) on Thursday July 03, 2003 @01:48AM (#6356227) Homepage Journal
    I have been working in the wireless networking industry for several years. I've worked with 802.11x since its early inception. Everyone thought it was going to be some great panacea. I knew it wouldn't because it was still trying to address the security issue at layer two. Jim Geier, (the individual that wrote the article referenced in the initial /. posting) and I have had discussions at length on this topic.

    802.11x is little more than Cisco's LEAP technology that has been turned into an industry standard.

    Trying to secure a network at layer two is extremely dificult. You're not dealing with enough intelligence and flexibility. Taking it up another layer to layer three (network layer) gives you much greater flexability.

    You need to look into the wireless gateway technologies [reefedge.com]. Its easiest to think of these as being a firewall and VPN concentrator combined into one box.

    Just as an internet firewall is designed to secure internal corporate networks from external internet communications, the wireless gateway once again segments your network with wired and wireless.

    Encryption takes place at layer 3 using IPSec when required. Using a wireless gateway, you can have a guest user log into your network as a guest, and the gateway will allow them to access the internet, and only the internet -- and you can throttle their bandwidth down to 56kbps or whatever you'd like. However, if I were to login to the network as an internal user, the gateway would build a 3DES IPSec tunnel out to my PC before it would allow me to access ANY internal network resources.

    It allows you the flexibility to give different users various levels of security based upon their login. The best part is that it does not require a client to be loaded on any end user device, and because it operates at layer 3, it is layer 2 agnostic - meaning it doesn't matter what kind of Access Point or radio card you're using.

    I've deployed these solutions in hospitals, universities, even classified government facilities. (WEP is not FIPS certified, 3DES is)

  • No, but thanks for asking anyways...

  • 802.1X, TKIP, WPA and so on are all nice methods to control WLAN access, but even they cannot correct a louzy WLAN architecture.

    The problem is that in several, even most places, people are connecting their access points directly to their intranet and then rely only on the WEP key, MAC address lists, 802.1X and the WiFi security standard of your choice. In this kind of architecture when a standard is broken or the access point is compromised or just mis-configured, the attacker is able to gain access ins

  • Forget 802.1x. It was cracked over a year ago. Here's an article [shmoo.com] reporting on the vulnerability. WEP (any bit length) is even worse; cracks have been out for it for ages.

    Your best bet is to deploy IPSec. Yes, as an earlier poster points out, there are some vulnerabilities that IPSec doesn't address, but if you build your network properly (keep all APs on a spur in the DMZ; make sure the spur router(s) refuse all hostile Ethernet frames), you can mitigate or eliminate those problems.

    Schwab

  • by Espen (96293)
    We went with seperate networks and an authenticated gateway instead and have no regrets. Someone has mentioned reefedge, but there is a free software solution in nocat.net which we are quite happy with. The difference? No clients to install on the user end, no configuration required either. All our hardware remains useful too. Disadvantage? Users are not protected against themselves (have to be trained in using secure protocols). Network can only be used casually (ie. none of our staff are allowed to use it
  • by ronsko (686489) on Thursday July 03, 2003 @10:24AM (#6358210)
    We started acquiring the elements of our 1x deployment over a year ago, and things have really come a long way. We have been testing since February and have been live for about 2 months. We are using 1x on both wired and wireless connections.

    We are running Funk Software's Steel Belted RADIUS (SBR) on Solaris for 1x authentication requests using TTLS. SBR verifies user credentials on the back end against our OpenLDAP server. We also return the group membership of the validated user with each login so the RAS can implement individual firewalls (at the user's point of access!) based on each users' credentials (aka User Personalized Networking). This is essential for supporting large numbers of open-access ports (i.e. dorms, Library, Student Center, labs...)

    We use Enterasys equipment exclusively, including their R2 access points for wireless. We use their Netsight Atlas Policy Manager software to enforce UPN policies.

    We have an academic site license for the Meeting House Aegis 1x client. This has worked brilliantly with 2000/XP and MacOS. Linux support has been shaky (it's beta) but we have had success with Open1x in that application. The problem with the Mac is that it doesn't come preconfigured with any certificate authorities under OpenSSL, so we have had to add one manually to each station.

    The only problems we have had is a small bug in SBR that caused it to periodically lose contact with LDAP (fixed in SBR 4.0.4) and some quirky early versions of the Aegis clients (fixed). Meeting House has also just released (beta) an enterprise-deployment option that allows us to distribute a preconfigured client. Funk's client is worth looking at also, but it is very pricey.

    My sugestions: plan well, test a LOT, and stay the HECK away from any of the MS garbage -- your life will be MUCH simpler!

  • Why not IPsec? (Score:2, Interesting)

    by Anonymous Coward
    Why not use IPsec instead?

    It's more standardized, it's available on more clients, and if you have a large number of connections through hosts you can use crypto accelerator boards on your routers (running BSD or Linux).

    The main issue would be distributing public-key certificates. This could be automated though: have a web page where the netops staff fill in fields for the user infromation (including a valid email address), generate the certificate witha Perl script/CGI and enter all the information in a d
  • And if you feel you are having trouble, you should see how *my* homework looked like when I went after 802.1x for ethernet.

    (and, for those who are curious, there are many, many applications -- if you can't think of any, you don't have meeting rooms with network points in your workplace... :)
  • About six months ago I tried top get 802.1x to work with FreeRadius [freeradius.org] and Xsupplicant [sourceforge.net] using and Orinoco Ap500 and and Orinico Gold PCMCIA card under Linux. I couldn't get it to work, though I think it was due to misconfiguation of the Ap500. No attempt to contact the RADIUS server was ever made.

    I gave up and went with IPsec, which worked for my needs.

C makes it easy for you to shoot yourself in the foot. C++ makes that harder, but when you do, it blows away your whole leg. -- Bjarne Stroustrup

Working...