mailing list archives
RE: 802.1x RADIUS Deployment in Wireless LAN
From: shankarnarayan.d () netsol co in
Date: Wed, 26 Nov 2003 12:27:09 +0530
Have designed and implemented Wireless Networks with RADIUS for many of our
customers and the same are working fine. We primarily work with Cisco as
our partner and these cards do support 802.1X. Have used the Cisco Aironet
1200 series AP with Cisco 352 Client cards/ Intel Centrino based Laptops/
Orinoco and Cisco ACS v3.2 - discussions below are based on those
components. Going into your questions
1. Design of a Wireless Network involving RADIUS is not very difficult if
you are clear on what you want it to do. There are a large number of
different types of RADIUS based EAP authentication mechanisms - the LEAP
(Cisco proprietary), EAP-TLS, EAP-TTLS (Funk promoted, now well accepted in
the Wireless community), PEAP (promoted by MS and Cisco) WPA / TKIP and
finally a Cisco proprietary IBNS (enter your user name and password and you
get assigned to a predefined SSID - Cisco supports 16 of them on the same AP
and calls this a VLAN capability). If you were to look at each of these LEAP
is pretty easy to design - among the easiest, EAP-TLS and EAP-TTLS, we have
found are among the more painful ones to design as they involve integration
of multiple components over and above just RADIUS (EAP-TTLS is easier than
EAP-TLS). WPA / TKIP based designs are pretty much OK with RADIUS. IBNS was
the toughest, trying to get RADIUS to integrate with ADS - there are a huge
bunch of factors to think up when designing this one guy. Never tried PEAP
2. LEAP was easiest to install. EAP-TTLS (Funk provides some pretty neat
ways to help overcome problems that EAP-TLS using Microsoft CA presents -
the Odyssey clients and Steel Belted RADIUS eval copies are available on
www.funk.com) and EAP-TLS were tougher to install and IBNS was the worst
(primarily due to some Microsoft based password caching problems - peculiar
problems of sometimes not re-authenticating, other-times automatically
authenticating even without asking for password or suddenly asking for
re-authentication - we scoured to web for a full two days before we cracked
3. OS: Ranges from Win2K (ACS on Win2K Adv Server and clients on Win2K
Professional) to XP - never tried on UNIX or the likes
4. Ease of Management - WPA / TKIP produced the best management, LEAP - was
decent, EAP-TLS and EAP-TTLS (due the CA stuff) were and are pretty
difficult to manage. IBNS is pretty easy to manage once deployed, but to get
it deployed was hell (atleast to us)
5. Keys were dynamic wherever we deployed Wireless
Wrt to Implementation, Cisco provides excellent documentation throughout its
website and these can be efficiently used for both design and
implementation. Cisco SAFE series carries beautiful explanations and step by
step configuration. Somehow, have not found any problems with using Cisco
documentation - even as a novice when first implementing Wireless. Yes, the
ACS does contain so many options that you can be sometimes confused about
what is it you are doing, but Aironet configs - using the web-interface were
pretty easy to get along with. However integration with other components -
yes a new guy will face problems if he is not very aware of technology or if
he is not sure about what he wants
The MS documentation on RADIUS did actually work in a Lab test setup - but
on the field it does bring up some idiosyncrasies - everything works fine
independently, but do produce hiccups when trying to integrate multiple
Hope this helps.....
From: David J. Jackson [mailto:djackson () netdmz com]
Sent: Tuesday, November 25, 2003 10:42 AM
To: security-basics () securityfocus com
Subject: 802.1x RADIUS Deployment in Wireless LAN
Has anyone deployed RADIUS services in a WLAN environment and if so can you
give me (this list) some feedback as to your experience on the following:
- Design Difficulty?
- Ease of Installation?
- Software OS: Windows 2000, 2003, XP, Linux, Unix, etc.
- Ease of Deployment?
- Ease of Management?
- Dynamic or Static WEP Key Distribution?
I'm also looking for some more specific information on setting up RADIUS
authentication on the WLAN with cards that don't specifically say they
support 802.1x or RADIUS. If I'm using a RADIUS client or Windows XP with
built-in support for 802.1x and Smartcard Authentication, etc. does the
Wireless NIC have to support 802.1x or does it matter?
Also, I found a link on Microsoft's site on setting up RADIUS authentication
for Windows 2000 and Windows 2003 servers. Has anyone used these
articles/instructional guides and if so did they work properly?
Thanks very much in advance for your help with this.
David Jackson, GSEC
djackson () netdmz com