Introduction: Selecting an 802.1X EAP Method

Wireless networking is a hot technology because of the flexibility and productivity it offers. It removes boundaries and barriers to communication, empowering an increasingly mobile society. Wireless networking also gained a lot of attention and concern because of the new security challenges that it introduced. Because of the broadcast nature of wireless networking, security must be expanded beyond the requirements of wired networks to include mutual authentication, distribution of session keys, and immunity to dictionary attacks to name a few. The industry has responded with a series of technologies such as EAP, WEP, WPA, and TKIP.

The common thread in these security developments for the RADIUS server using 802.1X technology is EAP - Extensible Authentication Protocol. EAP is a vehicle for meeting today’s wireless security requirements. As the name suggests, it is powerful because it is extensible. This is a two edged sword to the IT director wanting to implement wireless networks in his enterprise. On the one hand he has the assurance that EAP is a standard solution, will not soon become obsolete, and can be extended to meet future needs. On the other hand he is confronted with a complex array of EAP methods from which to choose, and still more methods being developed.

EAP methods are the authentication protocols being transported within the EAP framework over 802.1X between the supplicant (client) and the RADIUS server. There are advantages, disadvantages, and requirements for each of the various methods.

Given the wealth of choices, how is one to identify the best EAP method for a given enterprise? As is the case with any networking function, there are a number of pieces to the puzzle that must all fit together. A review of the relevant network components will help to clarify the EAP method decision and prevent the costly mistake of an incompatible or incomplete solution.

The key network components to consider when implementing wireless security are:

Wireless Station Supplicant Software (Clients)

The wireless station must have supplicant software to engage in the 802.1X/EAP authentication exchange with the RADIUS server. Some EAP methods are standard with some operating systems and others require the installation of additional client software.

Access Points

The access point is the gateway for wireless communication. It must support 802.1X and EAP at a minimum, but there may be other requirements. Some methods require additional support, which is not available from all vendors.

Data Stores

Ideally, the wireless security system should be integrated with existing and future network systems rather than creating redundant systems that are difficult to synchronize and maintain. Of particular concern is where and how the user credentials are stored. Many EAP methods have specific credential requirements that are not obvious to the uninformed.

Authentication Server (RADIUS Server)

As the authority to which you have entrusted the security of your wireless network, the RADIUS server (authentication server) must support the EAP method, have an interface to the user credential database, and support any vendor specific features of the access point.

Upcoming RADIUS server blog posts will address each of these factors in greater detail, highlighting the advantages and limitations for each EAP method. Armed with this knowledge, an informed decision can be made on how best to secure your wireless network with a RADIUS server.