Microsoft Corp.s newest wireless supplicant software brings Windows XP systems up to speed with the latest security standards, but it only highlights the enterprise need for technology that is not only interoperable among different vendors solutions but also bridges wired and wireless networks.
Microsofts WPA2-compliant 802.1x supplicant software—called (deep breath now) Wi-Fi Protected Access 2 Wireless Provisioning Services Information Element update for Windows XP with Service Pack 2—opens the door for wider adoption of strong wireless encryption and authentication. However, administrators should seriously consider third-party 802.1x supplicants instead—to provide a unified user experience across operating systems and hardware platforms, to simplify access policy management and control, and to pave the way for 802.1x adoption on the wired network.
In general, IEEE 802.1x supplicant software enables the strong authentication component of the IEEE 802.11i security standard, allowing client adapters to authenticate to protected wireless networks. However, 802.1x supplicant software is just one of the technology components needed on the client to achieve 802.11i wireless security: Client adapters must also support AES (Advanced Encryption Standard) encryption and have updated drivers that comply with the standard.
During tests, eWEEK Labs found Microsofts new supplicant effective and easy to deploy under the right conditions. However, the software is limited in features and interoperability, making it difficult to provide a unified user experience across the enterprise.
Microsofts WPA2 client integrated easily into our testbed, which included Cisco Systems Inc.s Aironet 1200 access points and Funk Software Inc.s Steel-Belted RADIUS Server 5.0. The supplicant allowed us to prioritize wireless networks and configure security settings with new support for AES-encrypted networks, in addition to its legacy support for WEP (Wired Equivalent Privacy) and TKIP (Temporal Key Integrity Protocol).
As with Microsofts earlier WPA-compliant supplicant, the new version supports only PEAP (Protected Extensible Authentication Protocol) and EAP-TLS (EAP-Transport Layer Security) transport mechanisms, so administrators must ensure these protocols are supported and enabled on the RADIUS server.
Enterprise customers may manage clients wireless settings through GPO (Group Policy Objects), but doing this requires a Windows Server 2003-based Active Directory. WPA2 support further requires that domain controllers have Windows 2003 Service Pack 1 or patch KB811233 installed.
Administrators dont need to rely on the operating system for 802.1x functionality, however, as wireless hardware vendors generally include compatible software with their client adapters. Software supplicants are also available from third-party vendors.
In fact, hardware makers often use their client software to help distinguish their products, adding easy-to-use network and access policy creation tools that support legacy operating systems. Unfortunately, unless companies maintain a homogeneous client hardware pool, administrators will find they must maintain and deploy separate profiles for every hardware type.
To avoid this, administrators can use third-party supplicants such as Meetinghouse Data Communications Aegis Client and Funk Softwares Odyssey Client. With their support for a wide array of operating systems and hardware platforms, support for 802.1x for wireless and wired adapters alike, and ability to create complex access connection profiles, these tools can be used to provide port-based authentication across the network—even before the user logs in to the operating system.
Meetinghouse provides the underlying 802.1x and WPA technology behind many hardware vendors profile software solutions, providing its Aegis Client API and WPA Toolkit through OEM relationships. Now, with its own branded Aegis Client, Meetinghouse has plans to further integrate client profile management into Aegis Server and is working closely within the Trusted Computing Group (www. trustedcomputinggroup.org) to leverage 802.1x to provide standards-based access controls and endpoint remediation for clients on the wired network.
Funk Software, also an active member of the TCG, provides incredibly in-depth control over the supplicant. Its Odyssey Client Manager includes a Client Administrator that allowed us in tests to build profiles into an .msi we could deploy via GPO. Through policy, we could disable support for unwanted authentication methods or deny access to unauthenticated or peer networks.
Technical Analyst Andrew Garcia can be reached at [email protected].