RADIUS & 802.1X: Selecting an EAP Method - Supplicant Software

In this blog posting, we continue our discussion of EAP methods and the factors involved in finding the best authentication method for a wireless application. We have already identified the components that must interoperate to deliver secure wireless communication and we have discussed the access point requirements. Our next topic is the supplicant software, which runs on the wireless station such as the laptop, PDA, or phone. It is critical because it is one of the endpoints engaging in the EAP authentication (along with the RADIUS server at the other end) and must therefore have direct support for the chosen EAP method.

Supplicant Availability

Supplicant software is available from a number of sources, supporting a variety of EAP methods and operating systems. Most supplicants support EAP-MD5, EAP-TLS, and EAP-PEAP. However, not all vendors have implemented the same version of EAP-PEAP and each vendor has a different approach to managing user profiles. To minimize interoperability and management issues, settle on a single source of supplicant software that supports all of your required platforms, if at all possible. Please note that Interlink’s RADIUS server is standards-based and is designed to interoperate with all leading supplicants.

In some cases EAP supplicants are provided with the operating system. In particular, Windows XP includes support for both EAP-TLS and PEAP. Some organizations will prefer the simplicity of configuring a native supplicant to managing the installation and set up of third party software on all workstations.

User Profile Management

Supplicant software differs in its approach to managing the user profile ranging from those that are set up once and forgotten to those offering a great deal of flexibility and power. Some supplicant software includes a utility for configuring and managing multiple user profiles. This is useful for stations that will be used by multiple users or in multiple environments requiring different authentication methods. The user profiles are configured in advance and the appropriate profile selected as needed. At the other end of the spectrum are those supplicants that store the user identity and credentials at set up and then never require any intervention by the user. These are very easy to use but are more difficult to reconfigure. This becomes a problem if you want a policy of regularly changing passwords. It is also a security liability should the station ever become lost or stolen.

Identity Hiding

The tunneled EAP methods such as EAP-TTLS and EAP-PEAP support a concept called identity hiding. Authentication between the supplicant and authentication server takes place in two phases. In the first phase, the supplicant presents an outer user identity, in response to which the authentication server establishes an encrypted tunnel. This outer identity is often an anonymous user. The supplicant then presents the true user name as the inner identity used by the authentication method transported through the tunnel. Because the encrypted tunnel has its endpoints at the supplicant and the authentication server, the users true identity is hidden from the access point. Only the outer identity is visible to the access point. This feature may be desirable when the station is roaming on a foreign network but undesirable when managing users on the local network. Each supplicant has a different approach to identity hiding. Some supplicants offer only an anonymous outer identity, others use the username for both the inner and outer identities, and others make the outer identity configurable. Which approach is best depends on the need to make the user’s true identity either hidden or visible.

Conclusion

The choice of supplicant software is important. Because it must be distributed on all wireless stations, it may be difficult to change and manage once it is in the field. The EAP methods supported, platforms supported, ease of use, and flexibility can all be factors in making the right decision.

Interoperability between the supplicant and the RADIUS server is a critical factor being assured through testing by organizations like InteropNet Labs and the Wi-Fi Alliance. You can be assured of interoperability today by using an independent RADIUS server like Interlink’s RAD-Series RADIUS Server, which have been designed to conform to the latest industry standards and interoperate with leading supplicants and the widest range of EAP types in the industry. Interlink’s RADIUS Server supports both PEAP v0 promoted by Microsoft, and PEAP v1 implemented by Cisco, and are so flexible that you can mix and match supplicant software and EAP types – for example Alfa-Ariss’ TTLS supplicant and Cisco PEAP – and use them concurrently.

How the RADIUS server manages the user credentials and interacts with the supplicant will be continued in the next blog posting.