Security Basics mailing list archives
RE: 802.1x RADIUS Deployment in Wireless LAN
From: shankarnarayan.d () netsol co in
Date: Wed, 26 Nov 2003 12:27:09 +0530
Hi, Have designed and implemented Wireless Networks with RADIUS for many of our customers and the same are working fine. We primarily work with Cisco as our partner and these cards do support 802.1X. Have used the Cisco Aironet 1200 series AP with Cisco 352 Client cards/ Intel Centrino based Laptops/ Orinoco and Cisco ACS v3.2 - discussions below are based on those components. Going into your questions 1. Design of a Wireless Network involving RADIUS is not very difficult if you are clear on what you want it to do. There are a large number of different types of RADIUS based EAP authentication mechanisms - the LEAP (Cisco proprietary), EAP-TLS, EAP-TTLS (Funk promoted, now well accepted in the Wireless community), PEAP (promoted by MS and Cisco) WPA / TKIP and finally a Cisco proprietary IBNS (enter your user name and password and you get assigned to a predefined SSID - Cisco supports 16 of them on the same AP and calls this a VLAN capability). If you were to look at each of these LEAP is pretty easy to design - among the easiest, EAP-TLS and EAP-TTLS, we have found are among the more painful ones to design as they involve integration of multiple components over and above just RADIUS (EAP-TTLS is easier than EAP-TLS). WPA / TKIP based designs are pretty much OK with RADIUS. IBNS was the toughest, trying to get RADIUS to integrate with ADS - there are a huge bunch of factors to think up when designing this one guy. Never tried PEAP 2. LEAP was easiest to install. EAP-TTLS (Funk provides some pretty neat ways to help overcome problems that EAP-TLS using Microsoft CA presents - the Odyssey clients and Steel Belted RADIUS eval copies are available on www.funk.com) and EAP-TLS were tougher to install and IBNS was the worst (primarily due to some Microsoft based password caching problems - peculiar problems of sometimes not re-authenticating, other-times automatically authenticating even without asking for password or suddenly asking for re-authentication - we scoured to web for a full two days before we cracked that one) 3. OS: Ranges from Win2K (ACS on Win2K Adv Server and clients on Win2K Professional) to XP - never tried on UNIX or the likes 4. Ease of Management - WPA / TKIP produced the best management, LEAP - was decent, EAP-TLS and EAP-TTLS (due the CA stuff) were and are pretty difficult to manage. IBNS is pretty easy to manage once deployed, but to get it deployed was hell (atleast to us) 5. Keys were dynamic wherever we deployed Wireless Wrt to Implementation, Cisco provides excellent documentation throughout its website and these can be efficiently used for both design and implementation. Cisco SAFE series carries beautiful explanations and step by step configuration. Somehow, have not found any problems with using Cisco documentation - even as a novice when first implementing Wireless. Yes, the ACS does contain so many options that you can be sometimes confused about what is it you are doing, but Aironet configs - using the web-interface were pretty easy to get along with. However integration with other components - yes a new guy will face problems if he is not very aware of technology or if he is not sure about what he wants The MS documentation on RADIUS did actually work in a Lab test setup - but on the field it does bring up some idiosyncrasies - everything works fine independently, but do produce hiccups when trying to integrate multiple components Hope this helps..... Rgds, Shankar -----Original Message----- From: David J. Jackson [mailto:djackson () netdmz com] Sent: Tuesday, November 25, 2003 10:42 AM To: security-basics () securityfocus com Subject: 802.1x RADIUS Deployment in Wireless LAN Has anyone deployed RADIUS services in a WLAN environment and if so can you give me (this list) some feedback as to your experience on the following: - Design Difficulty? - Ease of Installation? - Software OS: Windows 2000, 2003, XP, Linux, Unix, etc. - Ease of Deployment? - Ease of Management? - Dynamic or Static WEP Key Distribution? I'm also looking for some more specific information on setting up RADIUS authentication on the WLAN with cards that don't specifically say they support 802.1x or RADIUS. If I'm using a RADIUS client or Windows XP with built-in support for 802.1x and Smartcard Authentication, etc. does the Wireless NIC have to support 802.1x or does it matter? Also, I found a link on Microsoft's site on setting up RADIUS authentication for Windows 2000 and Windows 2003 servers. Has anyone used these articles/instructional guides and if so did they work properly? Thanks very much in advance for your help with this. David Jackson, GSEC djackson () netdmz com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- 802.1x RADIUS Deployment in Wireless LAN David J. Jackson (Nov 25)
- Re: 802.1x RADIUS Deployment in Wireless LAN Eric Hagen (Nov 25)
- Re: 802.1x RADIUS Deployment in Wireless LAN Jimi Thompson (Nov 26)
- <Possible follow-ups>
- RE: 802.1x RADIUS Deployment in Wireless LAN Batkin, Seva (Nov 25)
- RE: 802.1x RADIUS Deployment in Wireless LAN shankarnarayan . d (Nov 26)
- RE: 802.1x RADIUS Deployment in Wireless LAN shankarnarayan . d (Nov 26)
- Re: 802.1x RADIUS Deployment in Wireless LAN Eric Hagen (Nov 25)