Review: 802.1X Authentication Servers

In many cases, wireless networks were installed despite the objections of information security pros. But now that WLANs are reality, you must secure them through strong encryption lest any ne'er-do-well with a powerful antenna snoop traffic passing through the air. If you have only basic encryption enabled, the right software--free and easily available--can crack wireless security keys.

One solution is to tunnel wireless users' data over enterprise VPNs, using an AP outside the Internet firewall locked down to all traffic except that which passes through a VPN port. A good method, but not ideal because of the cost and complexity of running VPN servers. Better is port-based authentication, known as 802.1X for its IEEE-standard name assignment. With 802.1X, you must have a set of credentials to gain access to a Wi-Fi or wired network. The credentials can be a user name and password, a smart card or a digital certificate signed by a certificate authority. The 802.1X process gives each Wi-Fi user a unique encryption key that can be changed during a session. This eliminates the danger of a shared key and the cracking of weak keys created manually.

But 802.1X can be expensive to implement, as much as several hundred dollars per seat when you count one-time fees, integration and technical-support subscriptions. Early on, the only option for businesses that couldn't justify this cost was a static, shared encryption key; changing this key entailed disabling all network access while new keys were typed and entered on each networked workstation. Obviously, these keys were seldom changed, and that meant potential exposure.

Throughout 2005, network product vendors introduced services and products designed to make 802.1X painless and affordable, usually by stripping down the process of creating and managing users, configuring APs and handling access to a few steps that even those without extensive network management skills could carry out.Now 802.1X for WLANs is a no-brainer: Each user can have a unique identity, keys remain strong and require no management, and if an employee leaves, you don't have to change all keys to the network. Adding APs to extend a network is simpler, because each new Wi-Fi node can point to the same authentication system. And because 802.1X offers greater security, greater flexibility and reduced complexity, businesses of all sizes should consider immediate adoption.

We decided to determine which options are available for companies that want tight WLAN security without breaking the bank. We issued invitations to vendors asking for products offering WPA Enterprise authentication that interoperates with the built-in Windows XP Service Pack 2 supplicant (using PEAP) or with a proprietary client that works under Windows XP Service Pack 2. The product or service must include a license for at least 25 users, cost no more than $1,000 and be easy to manage. We accepted Internet-based outsourced services or software servers that could be installed on an XP, 2000 or Server 2003 system, to keep costs low. Fees could be one-time or recurring yearly.

BoxedWireless, Corriente Networks, Open System Consultants and WiTopia agreed to participate and provided software or accounts for testing as well as technical support as needed. Products from Funk Software and Meetinghouse didn't make our sub-$1,000 cut. We expected this but sent invitations anyway. McAfee declined to participate, saying it hasn't yet focused its efforts on the small business market following its 2005 acquisition of Wireless Security Corp., makers of WSC Guard.

InterLink offered a competitive outsourced product for approximately two years but ceased operations just before our invitations were sent. Its LucidLink product requires access to the vendor's servers, and these servers have been shut down, according to user reports. The company no longer responds to queries, and the future of LucidLink is unknown. We didn't invite Microsoft because its 802.1X solution is incorporated in Windows Server 2003, which is a full OS requiring a separate computer to operate. The cost of the OS for 25 users is typically $1,000. If you own Windows Server 2003 and have the in-house expertise to configure its 802.1X options, consider that route. We excluded the open-source FreeRADIUS product because of the know-how needed to configure and operate it; we wanted the products to be suitable for branch offices with minimal IT support.

Of our four participants, BoxedWireless and WiTopia host 802.1X servers. Corriente and Open System Consultants provide server software. Note that hosted services fail to authenticate new users when Internet connectivity is interrupted, though users who are logged in remain on the Wi-Fi network. All four products and services work with widely available 802.1X client software found in major operating systems.We based our scoring on ease of installation on the server computer; ease of configuring the XP SP2 client software; simplicity in configuring access points to work with the server; range of supported features; and clarity and extent of documentation. We wanted simplicity, a consistent interface and consistent authentication for each client.

We installed the server software on a Windows XP SP2 system with the latest patches and firewall, antivirus and anti-spyware software. We configured several commodity APs, including a Linksys WRT54G, to connect as authenticators to the server. All four products support APs on multiple networks and locations.

Port-Based Access Control

The 802.1X standard prevents unauthenticated devices, whether wired or wireless, from gaining access to a protected LAN. This is called "port-based access control" because the "port" (virtual or physical) over which the computer connects is restricted until the device is approved. The 802.1X method is a small dance among three parties: the supplicant, a client that resides on the connecting device; the authenticator, a back-and-forth role played by an Ethernet switch or access point; and an authentication server, which handles approving a user. These three partners talk EAP (Extensible Authentication Protocol), a generic method of exchanging messages. For a look at how 802.1X is making waves on the wired side, see "But Will It Work?".

To establish an 802.1X session, a user connects with supplicant software to a wireless access point. The access point facilitates a connection between the supplicant and the authentication server. The user enters credentials, or credentials are automatically sent, depending on whether the credentials are entered by hand, found in a preloaded certificate or attached hardware encryption dongle. If the credentials are accepted, the authentication server separately provides the same unique master key to both the supplicant and the authenticator. The supplicant and authenticator derive the necessary encryption keys for communication from this common master key, and the authenticator then allows access over the network with communications between the connected device and the access point secured with a derived key; see "802.1X Authentication Basics" (left), for a visualization.

Getting Started

The hardware and software requirements for 802.1X are straightforward.

Wi-Fi Encryption Options

The 802.1X spec supports a host of options. Most commonly, an 802.1X server handles both the older, deprecated WEP (Wired Equivalent Privacy) encryption format and the newer WPA and WPA2 methods; TKIP (Temporal Key Integrity Protocol, WPA and WPA2); and AES (Advanced Encryption System, WPA2 only). Of the four products we tested, only Open System Consultants' Radiator and WiTopia's SecureMyWiFi support WEP, and SecureMyWiFi required us to ask WiTopia for WEP support to be turned on.

WPA can be used in Windows XP, 2000 and Server 2003 with the proper service pack updates and updated adapter firmware; it's found in Mac OS X 10.3 and later, and many more recent versions of Linux, Unix, Palm OS, and Windows Mobile. Some other Windows versions and some handhelds offer WPA using third-party software.

We recommend TKIP for small and midsize businesses and enterprise branch-office use; we find it a good compromise between high-level security and backward compatibility. AES keys required by WPA2 are supported generally in Wi-Fi equipment sold since 2003 with firmware and driver updates. However, because TKIP is considered reliable at this writing, WPA2 isn't generally necessary for companies outside the financial, medical, government contractor and other sectors with compliance requirements; those industries may require WPA2 as part of a host of best-effort security measures specified in contracts and state and federal regulations. To use WPA, all devices and OSs must have appropriate patches applied, firmware installed and drivers updated. Many Wi-Fi gateways still ship with older firmware that must be updated for full compatibility.Encrypting 802.1X Messages

Within 802.1X, EAP messages are sent in the clear by default, which could give a snooper--with cracking tools necessary to retrieve a password--a peek at information that we want to keep private. To overcome this, several companies have developed competing methods of encrypting EAP (see "EAP Types Supported," left, for which products support which secured methods).

The first was EAP-TLS (Transport Layer Security), which requires installing a unique public-key certificate on each computer or device that will connect to the network. This means a public-key infrastructure, a complex--and sometimes expensive--proposition. EAP-TLS' advantages are that the credentials are extremely strong and presented automatically.

The most widely used secured form of EAP is PEAP (Protected EAP), specifically a version known as PEAPv0 with MSCHAPv2. This version, promoted by Microsoft, is supported by all products reviewed in this article and all free and commercial supplicants. An alternative, called EAP-TTLS (Tunneled TLS), works in a similar manner, but does a better job at hiding the account name that's part of the credentials. Neither the common version of PEAP nor EAP-TTLS require client-side certificates.Other flavors include LEAP, a Cisco-developed format; PEAPv1, also developed with Cisco and incompatible with Microsoft's version; and EAP-SIM, which ties into cellular network authentication.

Putting it Together

Setting up 802.1X with any of the products reviewed involves the following steps.

The Results

We found things to like about all the products we tested. Corriente's Elektron Enterprise Server provides all the basics, with the bonus of unlimited user accounts. Both the entry-level and enterprise editions were simple to configure for straightforward use, requiring no interaction with advanced settings. Despite ending in a numerical tie with SecureMyWiFi, Elektron takes our takes our Tester's Choice because it aced our manageability and price categories.

Our two outsourced services, WiTopia.Net's SecureMyWiFi and the eponymous BoxedWireless, performed well. SecureMyWiFi has a clear price advantage over BoxedWireless, especially for offices with a large numbers of users. BoxedWireless, however, remains the only option for simple management of individual digital certificates for businesses that need a level of security beyond a user name and password.

Open System Consultants' Radiator Server is worth considering for offices with more IT chops than cash. Its range of features is astonishing given the low price. We predicated this review on products being manageable in branch offices, departments without much central IT support and SMBs, and that accounts for Radiator's last-place finish; if your situation is different, check out our Interactive Report Card to tweak the criteria. Radiator's price makes it well worth considering for its flexibility and compatibility with existing services.Corriente Networks Elektron Enterprise Server
When Corriente released its first Elektron server for Mac OS X and Windows XP/2000, in January 2005, it received a disproportionate amount of attention for breaking the price barrier for 802.1X authentication. This maiden product, the $300 Elektron Server, provided basic authentication features. Corriente's $750 Elektron Enterprise edition adds options normally found only in more expensive enterprise servers, including external directory and database lookups for users. Still, many companies will find that the less expensive Elektron Server meets their needs.

Elektron Enterprise installed quite easily on Mac OS and Windows. A wizard walked us through basic configuration after installation, including choosing an initial shared secret. The wizard allowed for several certificate choices, including using a self-signed one. An appropriate externally verified certificate can be bought for less than $50 per year per server from GoDaddy.com.All the choices we made in the wizard could be easily changed through a configuration application. By default, Elektron accepts connections from any AP with the correct shared secret. It can also be limited to accept APs from only specific addresses or networks.

We could set up accounts manually or pick up users from the system on which the server is installed, useful for locations that run a single file server. The enterprise version also can authenticate against LDAP or RADIUS servers, or even something as simple as entries in a SQL database with the right fields.

The Enterprise edition allowed for limited policy enforcement. We could let users connect to the network only during certain hours on certain days of the week, for instance. That option doesn't disconnect users already authenticated on the network, however; you need a session-time-out setting combined with an AP that honors session time-outs to end existing sessions. Unfortunately, there's no easy way to know whether this time-out is honored; check your AP manuals.

Elektron Enterprise Server, $750. Corriente Networks, (510) 527-0601. www.corriente.net

WiTopia SecureMyWiFi WiTopia

offers few options with its hosted 802.1X service SecureMyWiFi. This can be a good thing or a bad, depending on your perspective. For instance, because existing directories can't be imported, all accounts must be created manually through the Web site. Further, no account details, such as department, e-mail address or phone number, can be appended to a user's account. And no policy management is allowed, so a user's login can't be tied to other factors. To revoke a user you must delete the entry.

An external Web site serves as the command center for SecureMyWiFi. WiTopia supports only PEAP for authentication and WPA for encryption, by default. The company said that either or both EAP-TTLS for authentication and WEP for encryption could be enabled on request at no additional charge. A ponderous aspect of this system is that login accounts are a name that we chose, followed by an @ sign and the account number. This makes for slightly unwieldy user names, but as they're entered only infrequently, this isn't a strong criticism.

WiTopia is the only company to invest in commercially signed digital certificates for its servers, which eliminates the step of individually installing a CA certificate on each machine that will connect over 802.1X.Witopia charges by the AP in its small business pricing plan; larger organizations with heavier Wi-Fi usage will have a slightly higher yearly cost. The company allows as many as 10 APs with the small biz plan. The first one is included, and companies can add nine more for $14.99 a year each. One-hundred user accounts with separate passwords are included. Beyond that, custom pricing is in effect.

SecureMyWiFi, $198 as tested. WiTopia, (877) WITOPIA.

BoxedWireless BoxedWireless.com

Of the four servers and services we tested, only BoxedWireless offers straightforward support for EAP-TLS without your having to own a public key infrastructure, meaning it's the only choice among our participants for companies without PKIs that want the extra security of having individually revocable and unforgeable certificates.

BoxedWireless offers the choice of EAP-TLS or standard PEAP, and we could switch between the two types. However, unlike the two server products tested--Radiator and Elektron--BoxedWireless.com accounts are limited to a single form of secured EAP for all users. This may be a limitation for companies wanting to use higher security for some users and allow logins from temporary accounts for others.

We easily configured the service from its Web site. We had to create user accounts one at a time; no additional information can be stored for each user aside from the account name. Account names have no mandatory preassigned portions. The account window has convenient links to download CA certificates for installation, and, with EAP-TLS, the individual digital certificates in three common formats work with virtually every platform.

Because BoxedWireless charges per user, not per AP, its pricing might have a slight advantage over WiTopia's for companies with many Wi-Fi nodes relative to the number of network users.

>BoxedWireless.com, $277 as tested. BoxedWireless, +31(0) 204222258 (Netherlands). www.boxedwireless.comOpen System Consultants Radiator

The kitchen sink is in this product somewhere, if only you know where to look. The feature list on the company's Web site is pages long in its most condensed form. That's good for IT pros who like to get their hands dirty, not so good for Radiator given our testing parameters (the product should deployable in branch offices without extensive IT support).

Radiator installation is complex because it relies on Perl and separate packages for TLS support. Under Windows XP, we had to install three free packages, found through two sets of Open System instructions on three separate third-party sites: ActiveState Perl, a precompiled OpenSSL and a precompiled Net::SSLeay module for Perl.We configured all program options through text files that use directives found in a lengthy, well-written manual. Almost anything we could want to install into the server, from the most ancient or exotic authentication method to remarkably specific directives that would let users connect at only certain times and be assigned specific IP addresses, is available. Model configurations show how to create a PEAP authentication framework, for instance. Using test certificates provided with the product, we could authenticate over PEAP.

Users are added through a text file or by writing configuration statements to access external directories or databases, including LDAP servers and Active Directory. Open System offers separately priced graphical tools for user management and multiple server monitoring and logging, but not for configuration.

Although the program is well-priced, we recommend it only for companies with highly competent in-house IT staff and that need to support particular standards, such as EAP-SIM, used for cellular telephone subscriber module authentication, or that require highly refined qualifications and assignments for users allowed to join the network. If you're starting from scratch, this product is probably overkill, but many companies will find it a substantial savings over comparably feature-rich offerings.

Radiator, $790 one-time cost; includes one year of upgrades. Open System Consultants, (413) 674-9423.Glenn Fleishman writes about technology for The New York Times and Popular Science, among other publications, from Seattle, Wash. Write to him at [email protected].

R E V I E W

802.1x Authentication Servers

Sorry,
your browser
is not Java
enabled

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights

you entered.

Click here for more information about our Interactive Report Card ®.

Methodology

Testing was performed on both Windows and Mac boxes, using fixed and dynamically assigned IPs over wired Ethernet and Wi-Fi. We tested server products on Windows XP Service Pack 2 with patches updated as of January 2006. Elektron Server was tested under Mac OS X 10.4.4 and Windows XP SP2. If an authentication failed, we tested the same process on an identical machine to debug. Authentication was ultimately successful on repeated attempts from all clients; supplicants seemed to lag just enough to cause an occasional spurious fault that did not recur on any service.

EAP-TLS, EAP-TTLS, and PEAPv0 were tested for each service that offered each flavor across a Linksys WRT54Gv2 and an Apple AirPort Express Base Station.All Secure Enterprise product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Secure Enterprise schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.

What $2,500 Buys

We excluded two powerhouses from this article because their server product starting prices were at least $2,500 for 25 users. Funk and Meetinghouse each offer full 802.1X support for virtually every EAP type, and extensions for WEP, TKIP (WPA/WPA2), and AES (WPA2) encryption key types. So, what do you get for that price that the lower-end offerings can't compete with?

First, you get client software designed to work with the server. Although some enterprises might be content to use built-in software, Funk and Meetinghouse have their own client software provided on a far wider range of Windows releases and platforms that have built-in support. They also include handheld support for Palm OS, Windows Mobile/PocketPC and Zaurus.

For enterprises that support a range of legacy equipment or have handhelds, Mac, Linux and Windows in a single environment, these clients are critical for providing helpdesk support and a single configuration file that can be loaded by IT staff. The clients can be remotely updated, and can be locked down so users can change only some or no Wi-Fi settings. These clients are available individually at prices that start at $40 to $50, depending on platform and version, but drop rapidly per-seat for larger quantities.Second, these servers have a greater variety of ways to attach themselves to existing AAA (authentication, authorization and accounting) and other services on the network. Companies with existing infrastructure for policy management--for example, time-of-day-based variable access, up-to-date antivirus settings, and other factors--and public key infrastructure support, or certain forms of user authentication need the more expensive option. Both Elektron and Radiator support some but not all forms of directory services.

Finally, none of the vendors whose products we reviewed offer phone support or 24x7 access, only e-mail support--two at no cost. This reflects the self-help, low-cost approach of these firms, but companies that operate 24x7 may need (expensive) full-time phone options.

The Essentials

Maybe you warned your colleagues about installing aWLAN. Sure, APs are cheap, and offering wireless accessmade IT heroes in the eyes of the masses. Butnow it's time to pay the security piper, and theprice is steep, right?

Not necessarily. We tested two softwareservers and two services that each offer802.1X-based WLAN security for less than$1,000 for 25 users. We predicated our invitationon the offerings being usable by small businessesand branch offices with limited IT expertise.PRODUCT CATEGORY: Low-cost, low-complexity802.1X WLAN security tools
PRODUCTS TESTED: BoxedWireless, Corriente NetworksElektron Server Enterprise, Open System ConsultantsRadiator and WiTopia SecureMyWiFi
PRODUCTS NOT TESTED: We excluded productsthat cost upward of $1,000. For a profile ofwhat you can get for $2,500, see "What$2,500 Buys"

WHO WON AND WHY: Elektron Enterprise is ourTester’s Choice: It covered all our bases, providesunlimited user accounts and was easy to configure.
WHAT HAPPENS NEXT: Follow our step-by-step guide tosetting up supplicants on both Windows and Mac OS.

Windows XP SP2

Before following the below steps, install the CA (certificate authority) for the server as provided in the products reviewed in this article.

Mac OS X 10.3 and later

Install the CA as provided by the service. Mac OS X also can accept a CA and an associated certificate during a supplicant connection, unlike Windows, which allows that process to be bypassed.

In Mac OS X 10.3, if the certificate and/or its authority was not preinstalled, Mac OS X will prompt you to accept certificates, after which you will not be prompted again. In Mac OS X 10.4, you are prompted to click Continue (accept self-signed certificates once) or you may review the certificates and set parameters for future acceptance.