Using the 802.1X protocol to secure wired and wireless networks is supposed to be easy. So we grabbed some hardware and servers from our test lab to see how hard it would be in the real world. The challenge: Could we set up 802.1X authentication in one hour or less?
Plan before you start
Before diving into any 802.1X project, start by answering the question, "Where is my user-authentication database stored?" You can't design any aspect of 802.1X until you've figured out how you're going to authenticate users. If you're going to use Secure Computing's SafeWord or RSA's SecurID or any other one-time password system, you'll need to find a RADIUS server that can talk to that authentication database. In our case, we decided to use our Windows 2000 server's built-in user database.
Once you know where your user data is stored, you can pick an authentication method. 802.1X is a framework that allows lots of ways to actually handle the authentication. If you use usernames and passwords, Protected Extensible Authentication Protocol (PEAP) and Tunneled Transport Layer Security (TTLS) are the two methods to care about. While similar, there's one huge difference: TTLS can work with one-way encrypted passwords, while PEAP cannot. So for example, if your usernames and passwords are locked up in a Unix-style database, you have to use TTLS. With Windows, passwords are not so tightly secured, and challenge-response authentication methods can be used, which means either PEAP or TTLS would work (check our glossary for the meanings of the major WLAN security terms).
Although TTLS is more flexible, PEAP has one significant benefit: It's built into Windows XP (and is available as a Microsoft update to Win 2000). Because we wanted to get up and running as quickly as possible, we decided to use PEAP as an authentication method, with MS-CHAPv2 (Challenge Handshake Authentication Protocol) inside to carry the actual username and passwords.
With those two decisions made, life suddenly gets a lot easier. The next step is to find a RADIUS server that will talk to your 802.1X devices on one side and to your authentication database on the other. Although Microsoft includes a free one with Win 2000 server, called Internet Authentication Server (IAS), it only runs in a Windows domain environment.
Our server was stand-alone and converting it to be compatible with Microsoft's IAS wasn't going to happen in one hour. For that reason, we elected to use Funk Software's Odyssey RADIUS server. Although Funk is known for industrial strength RADIUS software, Odyssey is a simpler product that does exactly what we needed and not more. Plus, with a free trial download at www.funk.com, it fit very nicely into our time requirement.
- Stopwatch: 8 minutes, including reboot
Calculate the RADIUS
With wireless authentication, it's critical that both ends of the connection authenticate themselves. It's not a very good idea to give your username and password to just any access point that happens to be around.
With PEAP and TTLS EAP authentication methods, the RADIUS server identifies itself using a digital certificate. Normally, getting a digital certificate is a long process, but we had a secret: RegisterFly. This little-known registrar sells certificates at a great price (US$16 per year), but most importantly, it will issue them immediately. You have to prove that you own the domain name in the certificate, but total elapsed time between hitting their Web site and getting a certificate for our server was just under 10 minutes.
If you don't care about having a trusted root sign your certificates, you can use CAcert , which is just as fast and free - although CAcert doesn't have their certificate built into Windows. Because we wanted to go quickly and not worry about how we were going to get the CAcert server certificate to our clients, we opted to spend the $16.
One touchy part of getting the certificate for a RADIUS server to work with 802.1X is having all of the right attributes in the certificate. We used OpenSSL to generate the certificate request and get everything right. If you have to install OpenSSL just to request the certificate, that'll add to your time, but if you've got any Mac or Linux systems around, they'll have OpenSSL pre-installed and ready to go. Another option, if you have Windows Internet Information Server Web Server running, is to use the built-in wizard in the IIS management tool. A certificate that will work for IIS also should work fine for a RADIUS server because Microsoft stuffs the necessary Extended Key Usage attributes into its certificate request.
- Stopwatch: 23 minutes
With certificate in hand, you have to configure your RADIUS server. Although it won't all be as easy as Odyssey, the information you have to put in is fairly simple: the IP addresses of the access points, what authentication methods are allowed and what security policy to enforce. In the case of Odyssey, we turned on PEAP authentication with MS-CHAPv2, and that was about it.
- Stopwatch: 28 minutes
Tomorrow: The server is ready - now let's configure the access point and clients!