Selecting an 802.1X EAP Method: Access Point Considerations

In the last RADIUS server blog posting, we embarked on the daunting task of securing access to a wireless network with a RADIUS server. This led us to 802.1X and the Extensible Authentication Protocol, EAP, which is at the heart of best practices for wireless network access management. Because of EAP’s extensible nature, we discussed that there are not only several network components to consider in securing the wireless network, but also many EAP Methods (protocols) from which to choose and configure in your clients and RADIUS server. In evaluating the currently available EAP Methods, we are examining factors involving each component of the wireless network. Because they provide the wireless connectivity, Access Points (APs) are the first and primary component that most enterprises evaluate. We will follow suit by looking at access point issues related to supporting wireless network access management using EAP.

802.1x Support

The most important AP feature necessary for wireless access management is support for 802.1x. This should be a requirement for enterprise wireless networks. One cannot take this feature for granted since it is generally not available on low cost consumer access points. 802.1x is the IEEE standard for Port Based Network Access Control. Included in this specification is the use of EAP for authentication. If an Access Point supports 802.1x, then it supports EAP.

WEP (Wired Equivalent Privacy) is another term frequently found on AP datasheets. While WEP based encryption is found often on APs using 802.1x, by itself it is not sufficient indication that EAP is supported. Many implementations authenticate by configuring static WEP keys. If the workstation can communicate by virtue of having the correct key, then it is authenticated. 802.1x was designed to overcome the numerous shortcomings of WEP key based authentication by authenticating user access through a RADIUS server. Additionally, WPA/TKIP has been developed to solve the problems of WEP’s poor encryption and data integrity.

Some Access Point datasheets will mention support for RADIUS. While RADIUS is used to transport EAP between the Access Point and the Authentication Server, it does not necessarily mean that the AP supports EAP. Some APs perform MAC address authentication with a RADIUS server. This form of authentication falls short of EAP’s ability to provide mutual authentication, authentication of the actual user, and session encryption keys with a RADIUS server.

Once it is determined that the AP supports 802.1x, then the next question is which EAP Methods are supported. The EAP authentication is conducted between the Supplicant (wireless device) and the RADIUS Server (Authentication Server). It is carried over EAPOL on the wireless side of the AP and over RADIUS on the network side of the AP. The AP only serves to relay the EAP packets, not to participate in the protocol. Therefore, any AP that supports 802.1x should be able to support all EAP methods. In practice, this is generally true. There have been exceptions found during interoperability tests, but these have been determined to be bugs that the AP vendors are expected to fix.

Proprietary EAP Methods

The one exception to the rule of thumb that all EAP Methods should be supported by all 802.1x APs is Cisco’s proprietary EAP-LEAP (Lightweight Extensible Authentication Protocol). It is only supported by APs, supplicants, and authentication servers that have licensed Cisco’s technology. LEAP makes use of Cisco’s vendor-specific attributes (VSAs) to distribute key material. The access point must support the Cisco VSAs and the LEAP algorithm for generating session keys from the key material. Because Cisco is a networking leader, LEAP has gained acceptance. Other vendor’s supplicants and authentication servers support LEAP – but if an enterprise wants to standardize on LEAP, then it must use Cisco APs.

Accounting Support

Although it is not a requirement for EAP, it should be noted that some access points do not support RADIUS accounting. This is an issue for ISPs and Wi-Fi hotspot venfors and less of an issue for enterprises that aren’t invoicing for wireless network access. However, all users might still want to implement audit trails and policies which require RADIUS accounting messages to mark the beginning and end of sessions.

Configuring EAP in the Access Point

Configuring EAP in an access point consists of four straightforward steps:

1. Enabling 802.1x, often by checking a box on a web form

2. Entering the authentication server’s IP address

3. Entering the authentication server’s port number (usually 1812)

4. Entering the secret shared with the authentication server

In conclusion, beyond the need to support 802.1x, the access point does not need to be a determining factor in which EAP Method to choose. The key is recognizing which access points support 802.1x. From there, enabling 802.1x and configuring communication with the authentication server is fairly straightforward. There is no need to configure a specific EAP method within the access point.

Choosing and configuring an EAP Method becomes more involved as we look at the supplicant and RADIUS server (authentication server in upcoming blog posts.

A Primer on Using Interlink’s Powerful RADIUS Server Software Developer’s Kit (RADIUS SDK)

Interlink’s RADIUS Server SDK is ideal for customers wishing to customize and enhance the RAD-Series RADIUS Server to meet their specific application requirements. The RADIUS Server SDK provides a set of easy-to-implement, modular tools to develop extensions to the core RADIUS architecture. The tool kit provides APIs (Application Program Interfaces) that make it easy to build custom modules for unique RADIUS authentication, authorization, or accounting methods; modify the internal RADIUS processing engine; set user-based policy; and to customize user interfaces.

With the SDK, you can write capabilities to:

• Authenticate users stored in any data source, including off-the-shelf and proprietary databases
• Track and control usage based on unique billing systems
• Implement highly customized authorization schemes
• Add support for unique network access hardware

RADIUS plug-in modules allow feature enhancements without editing, recompiling, and retesting all of the server code, providing for speedy development of additional functionality. The RADIUS Server SDK functions follow standard ANSI C, so there is no specialized programming or scripting language to learn.

Major system integrator and mobile communication companies throughout the world have used our RADIUS SDK to customize their RADIUS server to meet their specific application needs.

Protecting AAA RADIUS Accounting Information

The third A of AAA – RADIUS Accounting - often does not get as much attention as Authentication and Authorization, but it is vitally important. The RADIUS server accounting session logs provide usage information for billing in commercial applications and an audit trail in all cases. Because RADIUS is transported by UDP, a datagram protocol that does not guarantee delivery, it is possible for valuable accounting information to be lost in the network. In particular, the loss of RADIUS Accounting-Stops creates several problems including:

1) Incomplete billing information for metered services resulting in lost revenue.

2) Valid users are locked out where Simultaneous Session Control is implemented because the end of their last session was not received. This results in unhappy customers and increased customer support overhead.

3) Incomplete audit trails.

These are important problems. The RAD-Series RADIUS Server cannot always know when a RADIUS Accounting-Stop has been lost in the network but there are several steps that can be taken to improve the situation.

1) Probably the first and most important thing to do is to find out where and why the RADIUS Accounting-Stops are being lost and then fix the root cause of the problem. Do you have problems with NASs crashing? Do you have infrastructure problems where the NAS loses contact with the RADIUS Server for long periods of time? Do you have network congestion problems where packets are lost? Is the machine where the RADIUS Server runs overloaded and running behind?

Check the RADIUS Server logfile to see if it is discarding accounting messages because the queue is full. If it is, then you need to address the overload by either getting a faster machine/disk or by implementing another RAD-Series RADIUS Server. If these are only momentary overloads, then another option is to increase the size of the RADIUS accounting request queue in engine.config from its default value of 2000:

global_acct_q.limit=3000

2) If the packet loss is out of your control or cannot be quickly fixed, then the next step is to configure the NASs to retransmit more effectively. In RADIUS the client is responsible for retransmitting requests for which it receives no reply. Most NASs have parameters to configure the timeout between retransmissions and the number of retransmissions to attempt.

Increasing the retry limit improves the chances of a request getting through. The overall time attempting to get the request through is also increased, giving congestion due to traffic spikes a chance to clear.

Increasing the timeout before retransmitting also increases the overall time attempting to get the request through. Additionally, it has the advantage that by waiting longer to retransmit, the NAS is not contributing as much to the congestion.

3) Configure the NASs to send RADIUS Accounting Interim-Updates. This has two advantages:

a) If the RADIUS Accounting-Stop at the end of the session is lost, then you at least have the accounting information up to the point of the last Accounting-Interim-Update.

b) If the RAD-Series RADIUS Server has received at least one Accounting-Interim-Update, but has not received one within the last 15 minutes + 15 seconds, then the server will move that session to the "suspended" state. If a session is in the suspended state, then it will not count toward the simultaneous session limit and the user should be able to reconnect.

Before enabling RADIUS Accounting-Interim-Updates, be sure to check that your accounting software can handle them correctly. Accounting-Interim-Updates report the cumulative session totals, not incremental amounts. To bill accurately, the accounting software must process only the RADIUS Accounting-Stop or the last RADIUS Accounting-Interim-Update for any given session.

Also note that enabling this RADIUS Accounting-Interim-Updates message will increase the traffic between the NASs and the RADIUS Server.

To log RADIUS Accounting-Interim-Updates, the RAD-Series RADIUS Server’s finite state machine table must be modified at state ACCTlog from:

ACCTlog:

*.*.ACCT_START REPLY Hold

*.*.ACCT_STOP LOG REPLYHold

*.*.ACCT_ALIVE REPLY Hold

to:

ACCTlog:

*.*.ACCT_START REPLY Hold

*.*.ACCT_STOP LOG REPLYHold

*.*.ACCT_ALIVE LOG REPLYHold

4) Set the Session-Timeout attribute as a reply item in the user profile. If the RADIUS Server has not received the RADIUS Accounting-Stop by the end of the Session-Timeout period, (plus a delay factor), then it will move the session to the suspended state where it will not count toward the Simultaneous Session Control Limit.

5) Configure your NAS/telco to hunt in a round robin fashion instead of filling in the first available port. If the RADIUS Server finds a new session connected to the same port, it will close out the old session. Configuring your NAS to hunt round robin insures that all of your ports get reused instead of the first ports getting most of the calls.

Session logging is a crucial aspect of managing a network. An understanding of both the limitations and capabilities of RADIUS, a good handle on network performance, and a few key NAS and RAD-Series RADIUS Server configuration parameters can put you in control of collecting this network asset.