The administrator experience: adding strong authentication
There are generally three ways to use strong authentication systems to protect wireless LANs:
1. EAP and 802.1X. Specialized authentication servers can interoperate with strong authentication services using the Extensible Authentication Protocol (EAP) and 802.1X infrastructure. This combination is much more secure than competing standards. EAP and 802.1X are used to control access to network devices, including wireless LANs. These standards have been embraced by a number of leading hardware and software vendors including Cisco, Microsoft, and Hewlett-Packard, and many products, designed for both wireless and wired networks, already implement these standard. Only certain types of EAP protocols, like TTLS (Tunneled Transport Layer Security) and PEAP (Protected EAP), support strong authentication.
2. Wireless access control appliances. Because Web-based authentication is easy to deploy, it is becoming more pervasive. One solution to use Web-based authentication with wireless LANs is called an access control appliance, a firewall-like device that sits between the wireless access point and the rest of the network. These appliances force wireless users to authenticate at the application level (typically from their Web browsers over HTTPS) before receiving access to the rest of the network. In this setup, anybody can connect to the wireless access point without authentication, but users must authenticate in order to get beyond the local subnet to organizations' trusted networks. Interoperability with strong authentication systems is often accomplished using the RADIUS protocol.
3. Virtual private networks. VPNs are traditionally used to link internal networks across an insecure network, or for remote access. More and more organizations are using VPNs to wireless LAN connections by connecting the wireless client to an internal network via the VPN gateway through an encrypted tunnel. This ensures the authenticity and secrecy of the information as it is passes across insecure networks. To securely authenticate VPN users (whether wireless or not), strong authentication can be added (often using the common RADIUS protocol) to provide a high level of security recommended by experts.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.