802.1x at Microsoft and Elsewhere

I received two interesting reader responses to my April 2003 Windows & .NET Magazine Mobile & Wireless column, "802.11b Boot Camp." To read the column, go to http://www.winnetmag.com/articles/index.cfm?articleid=38267 .

First, reader Matt Johns wrote to ask why I hadn't discussed 802.1x (not to be confused with 802.11x), which is the IEEE's port-based network access control draft standard, defined at http://www.ieee802.org/1/pages/802.1x.html . I wasn't particularly familiar with 802.1x, which involves authentication against a back-end server, typically using the Remote Authentication Dial-In User Service (RADIUS) protocol. In contrast, the 802.11x terminology has seen widespread use to describe any of the assorted variations of the 802.11 protocol (e.g., 802.11a, 802.11b, 802.11i, 802.11g).

Johns wrote, "I think the usage of 802.11x is just going to confuse people more and prevent them from making good use of 802.1x. Having just deployed an 802.1x solution, I'd say it's one of the more difficult things to learn about and install. However, it can be significantly more secure ... I'm amazed by the number of Wi-Fi deployments that simply aren't secure against anyone with a desire to compromise them." Johns's message got my attention, and I decided to research 802.1x at my first opportunity.

The second reader response was even more compelling. In the original column, I wrote, "All 802.11b wireless APs in Redmond reside outside Microsoft's corporate firewall and are considered insecure. The company uses a VPN to let users access resources inside the firewall." Microsoft Group Program Manager Jerry Cochran responded, "Your statements in the April 2003 Windows & .NET Magazine article about how Microsoft uses 802.11b at its Redmond campus are incorrect. In addition to 128-bit Wired Equivalent Privacy (WEP), Microsoft combines public key infrastructure (PKI)-based 802.1x certificates (user and device) with wireless devices to secure its wireless LANs (WLANs). The Access Points (APs) are inside the firewall, and users don't use VPNs, which are unnecessary and would be costly to manage."

In my defense, the information in my April column came from another Microsoft employee--but the information was more than a year old, and the source worked in Microsoft's Mobile Devices Division. Considering that 802.1x isn't yet supported by Windows CE on Pocket PCs and other mobile devices, my information about 802.11 support was correct at the time--at least for the Mobile Devices Division.

Now, however, Cochran tells me that 802.1x support is available on mobile devices, through the wireless network card driver--provided the card vendor has added the necessary support code. Vendors that provide 802.1x support for Windows CE drivers include Agere Systems, Cisco Systems, Hewlett-Packard (HP), Socket Communications, and Toshiba.

In a follow-up conversation, Cochran told me that Microsoft went to great lengths to create a secure WLAN for Microsoft employees before the introduction of 802.1x. He said, "When Microsoft first got wireless, we used 104-bit keys that were hard-coded on the card and on the AP. That was fairly secure, but all anyone had to do was get one of those cards, and they could get in. With 802.1x, that's not possible--you have to have both an authentic device and an authentic user certificate to get in."

Clearly, enterprise wireless administrators need to understand the 802.1x standard. In contrast to WEP, which requires separate programming of authentication keys at each AP--and which is vulnerable to a brute-force attack, in which a malicious user tries all possible keys until one authenticates--802.1x provides pass-through authentication against a central authority. You can directly integrate 802.1x with Active Directory (AD), and 802.1x is much less vulnerable to hacking than WEP. You can even combine 802.1x with VPN access for extremely strong security.

Microsoft includes 802.1x wireless authentication support in Windows 2000 Server and includes an 802.1x client in Windows XP. (For information about these features, see the first two links at the end of this paragraph.) If you're using earlier versions of Windows on either the server or client, check out Funk Software's Odyssey, which provides 802.1x support on nearly any Windows-based system. The company is beta-testing a Pocket PC client. (For more information about Odyssey, see the third link.) http://www.microsoft.com/windowsxp/pro/techinfo/deployment/wireless/default.asp http://www.microsoft.com/windowsxp/pro/techinfo/administration/wirelesssecurity

http://www.funk.com/radius/default.asp

What about small office/home office (SOHO) users like me? Cochran said, "802.1x is probably a bit expensive for SOHO use, but I would imagine that as the technology becomes more common, you'll see it in lower-cost equipment. It would be an interesting market for Linksys or Netgear to go after."

I'll be watching for such developments with intense interest. In the meantime, I'd like to hear from readers who are using 802.1x. As usual, you can reach me by email at [email protected] Finally, I want to thank Johns and Cochran for bringing me up to speed on this topic!

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish