Andrew Lockhart, Network Chemistry
QWhat are some easy solutions for implementing 802.1X based authentication on a SOHO wireless network?

For those involved in deploying wireless networks in enterprise settings, using 802.1X for authentication is most likely old hat. However, smaller operations that have not made a significant investment in wireless infrastructure or taken the time to investigate the matter may not realise that they already possess all the needed tools to migrate to a WPA-Enterprise deployment.

An 802.1X wireless network consists of three components, the RADIUS server, network access servers (your APs), and any client devices. Many consumer grade APs now support 802.1X and are easily configurable - just tell it which RADIUS server to connect to and the shared secret used to protect traffic between it and your AP. Additionally most operating systems in common use (Windows XP, Mac OS X, and Linux) easily support 802.1X for wireless authentication. So far these requirements should be easily satisfied.

Options for low-cost RADIUS

The biggest piece of the puzzle is the RADIUS server. Here there are several options for fulfilling this role. For instance if you're using a Windows domain you can deploy Certificate Services and Internet Authentication Service, which is Microsoft's RADIUS server. However, if you're not using a Windows domain, the choices are less clear. If you have extra hardware lying around or a system to run VMware on, you can setup a Linux system and use FreeRADIUS, an excellent OpenSource RADIUS server.

For most SOHO setups all of this may be more trouble than it's worth since the time spent in deploying the solution may not be worth the benefits of a more granular authentication system. With only a few users and client devices it may be simpler to use WPA-PSK (or WPA2-PSK), with a strong key, and change it whenever access for a particular user needs to be revoked.

If you're determined to go down the 802.1X path there are still some other options that require minimal to no investment in additional hardware. For instance if you have an AP that is compatible you can re-flash its firmware with OpenWRT, a Linux distribution that supports many common APs. This will allow you to install FreeRADIUS on the AP itself, removing the need for a separate system. Still this can be a daunting task.

This leads to another intriguing option, the Wifiradis service. Basically Wifiradis is a free outsourced RADIUS service that is managed through a web-based interface. However for the security conscious this isn't a good solution since the shared secret that protects traffic sent by the server for each session is publicly known. Therefore it would be trivial for anyone who intercepts the traffic between your AP and Wifiradis' server to decrypt the traffic on your wireless network.

By now it should be evident that setting up a 802.1X authenticated wireless network isn't for the faint of heart. If you're not prepared for some serious work it may not be worth the effort, so if you have a small number of users it may be best to stick with the pre-shared key varieties of WPA.

Andrew Lockhart is lead security analyst at Network Chemistry, author of O'Reilly Media's Network Security Hacks, and author of Snort-Wireless, an open source project adding wireless intrusion detection to Snort. He is also an editorial board member of the /WVE. This article appeared in Network World..