Securing Wireless LANs: Authentication

META Trend: The campus/LAN will become increasingly application aware (2003/04), as products incorporate expanded services such as quality of service, security, and user-based policy. By YE02, 75% of Global 2000 firms will trial wireless LANs, with 90% having some production deployment by 2005/06. IEEE 802.11a will become the dominant standard in 2003 (morphing into 802.11h for Europe), coexisting with 802.11b. Organizations will augment security using external components (e.g., authentication services, VPNs) as native wireless LAN security improves incrementally during 2002/03.

The lack of strong wireless security continues to limit enterprise adoption of wireless LANs, due to the perceived high risk associated with deployment. Enterprises deciding against deploying wireless LANs will face increasing user demand and must aggressively address the potential for rogue access points within the enterprise network. Previously, META Group outlined its recommended approach for ensuring adequate security for wireless networks. During the past year, products and standards have matured, yet much variation in implementing and supporting wireless LAN security standards remains. During 2003, wireless LAN standards will fluctuate, as the IEEE, the Wi-Fi Alliance, and individual manufacturers attempt to simplify what has already become an incredibly complex initiative. As a result of the current complexity in securing wireless LANs in a non-vendor-specific fashion, many enterprises will choose to use virtual private networks (VPNs - e.g., IPSec). META Group does not believe, however, that VPNs will be the preferred method of choice (except for extremely security conscious environments) in 18-24 months, after the security standards are ratified and supported across mixed vendor platforms.

By YE03, the IEEE 802.11i draft standard will be ratified, incorporating both TKIP and AES (Advanced Encryption Standard). Although the industry will remain open to multiple types of port-based authentication via the IEEE 802.1x standard, PEAP (Protected Extensible Authentication Protocol) will become the de facto standard by 2004/05, based on Microsoft’s integration into Windows XP and 2000. By 2007, user and port-based authentication using the 802.1x extensible authentication standard will be common within the campus/LAN, with enterprises relying on this approach for authentication of wireless and wired devices. Availability of 802.1x authentication will enable networking and security professionals to enforce policies based on user and device credentials, essentially allowing or denying access to corporate resources at a port level across the entire enterprise. Investments in back-end authentication servers for wireless devices will be leveraged across wired domains by 2005.

Wireless Authentication
Although IEEE 802.1x is a ratified standard (see Figure 1), actual implementation is still highly variable - specifically across non-enterprise-class vendors. Furthermore, the EAP types used within the 802.1x framework continue to evolve, with new protocols in development, and existing protocols often remaining highly vendor-specific (see Figure 2). Successful deployment of an 802.1x framework for wireless LAN security will require much integration. Users will need to assess the types of authentication they wish to support (e.g., password, tokens, certificates), their existing support for RADIUS, and the types of client operating systems they are required to support. Each of these will play an express role in determining the degree to which 802.1x can be effectively deployed across the wireless network. While the short-term (12-18 month) prognosis has enterprises performing significant integration to adequately support the solution, by 2Q04, we anticipate not only broad acceptance of the 802.1x standard, but more importantly, consolidation of specific EAP types, favoring one or two de facto standards.

Competing Authentication Types
Despite the market’s rallying behind development of a ubiquitous standards-based security approach for wireless LANs, many vendors continue to drive their own agenda. This is apparent when evaluating specific EAP types. Microsoft initially announced support for EAP-TLS (Transport Layer Security), but EAP-TLS was limited to Windows XP and implied the use of client-side certificates (i.e., PKI); as a result, it was not adopted by the vast majority of enterprises. Cisco brought to market its Lightweight Extensible Authentication Protocol (LEAP), which initially tied enterprises to Cisco adapters, access points, and RADIUS servers, yet it could be supported across a wide variety of operating systems (as shown in Figure 2). Cisco then took steps to license LEAP to third-party vendors, in hopes of driving the market. Support for LEAP on the client side requires either a Cisco adapter or use of a third-party software supplicant as provided by Funk Software and Meetinghouse - with both scenarios adding cost to wireless deployment. Cisco LEAP is not a long-term solution due to its reliance on Cisco hardware. Users may consider LEAP as a tactical short-term solution, but they should ultimately move to deploy an EAP type of solution that is not tied to a specific vendor’s hardware.

There are two EAP types, not requiring user certificates such as TLS, that offer secure “tunneling” during authentication. Funk Software has proposed the EAP-TTLS protocol, which is supported across a broad spectrum of client operating systems and is implemented via a software supplicant. The protocol is hardware-agnostic, yet it is not supported on Cisco or Microsoft’s RADIUS platforms. As a competitive response to Funk Software’s EAP-TTLS, Microsoft, Cisco, and RSA have proposed PEAP, which is very similar to EAP-TTLS. However, PEAP is currently supported only on Windows XP and Windows 2000 and varies in exact implementations between Cisco and Microsoft. Microsoft’s variant does not support token-based authentication, driving users to Active Directory or NT Domain authentication only. By 2Q04, we expect Microsoft’s variant of PEAP to become the major de facto standard, with EAP-TTLS also existing in cases where support for non-EAP types is required.

Help From Third-Party Vendors
Given the relatively slow pace of Microsoft’s expansion of support for 802.1x and PEAP within its various operating systems, a number of third-party vendors have emerged to bridge existing gaps on the client and server sides (see Figure 3). Funk Software, currently the most well known vendor in the market, has proposed the EAP-TTLS protocol but also supports Cisco’s LEAP, allowing customers to support LEAP on non-Cisco adapters. Meetinghouse has also conducted substantial work in its adoption of various implementations of PEAP while also supporting LEAP and EAP-TTLS. Client-side list pricing ranges from $40 to $50, with substantial discounts (50%+) for bulk purchases. By 2004/05, viability of the client-side market will decrease, due to Microsoft’s push for deployment of Windows XP and backward support for 802.1x into Windows 2000. However, these vendors will maintain a strong focus on improving ease of management and control of RADIUS-based authentication from a server-specific approach.

Business Impact: A comprehensive policy for securing wireless networks is imperative to maintain the integrity of enterprise.

Bottom Line: Port-based access control using EAP authentication over IEEE 802.1x will increasingly become a viable and recommended approach to securing wireless LANs. However, initial deployments will require extensive integration and careful planning across front- and back-end infrastructure.

META Group originally published this article on 10 January 2003