|
6 Open Source Projects for 802.1X Network Authentication
By Eric Geier (NoWiresSecurity Founder
& CEO) - originally published on
LinuxPlanet
The 802.1X authentication protocol
plays a major role in Wi-Fi security of business networks. It
enables the Enterprise flavor of Wi-Fi Protected Access (WPA and
WPA2) encryption for wireless networks, and can also provide
authentication on the wired side. Here are six open source projects
that deal with 802.1X authentication:
FreeRADIUS
FreeRADIUS is probably the most
important contribution to 802.1X from the open source community.
It's a popular Remote Authentication Dial In User Service (RADIUS)
server that can provide the Authentication, Authorization, and
Accounting (AAA) for 802.1X and numerous other protocols. FreeRADIUS
can save you from buying a commercial server like Radiator or
Elektron, saving hundreds or thousands of dollars.
FreeRADIUS can install and run on Linux, Mac OS X, and other
Unix-like operating systems. As you see in the next section, you can
even run it on Windows. FreeRADIUS works with all the major 802.1X
clients or supplicants and operating systems.
FreeRADIUS can handle all the popular 802.1X protocols, such as PEAP,
EAP-TLS, and EAP-TTLS. For the user database, it supports local
files, LDAP, Active Directory, MySQL, and more. FreeRADIUS is also
highly customizable with the configuration files, RADIUS attributes,
and source code changes.
If you haven't worked much with Linux and RADIUS servers, there'll
be some learning curve. It's not GUI-based, you setup everything in
configuration files. However, now FreeRADIUS is quite easy to setup
for 802.1X. The server certificate is auto generated and you should
only have to make a few changes to the configuration files. If you
need help, refer to a previous tutorial I wrote for another
Internet.com site.
FreeRADIUS.net
FreeRADIUS.net is a win32 distribution
of FreeRADIUS with MySQL support that can install and run on Windows
XP. Currently, it uses FreeRADIUS version 1.1.7, one of the last 1.x
releases. Keep in mind, there have been major improvements in the
2.x versions, with the latest version being 2.1.9.
If you want to use a more current FreeRADIUS release, consider
building your own version with Cygwin. You can refer to the
FreeRADIUS.net homepage for instructions on how to do this with
versions 2.0.x and below.
Once you install FreeRADIUS.net, you'll see a system tray icon for
it. The menu has shortcuts to the main configuration files and
directories. Here you can also start, stop, and restart the server,
put it into debug mode, and access the command shell. The help files
includes the manual pages and other helpful information.
WPA_Supplicant
The open source community has also
made contributions on the client side. You'll see 802.1X clients
also referred to as supplicants. One of these is wpa_supplicant.
The wpa_supplicant is an open source project designed for use on
Linux, BSD, Mac OS X, and Windows. Its main advantage is the
portability of different drivers and operating systems (OSs). Though
Microsoft and Apple have now designed their own native cleints,
wpa_supplicant still provides for the open source OSs.
XSupplicant
Another open source 802.1X client is
XSupplicant from Open1X, backed by the OpenSEA. It supports wireless
and wired authentication for Windows and Linux. Like wpa_supplicant,
it supports numerous EAP types.
SU1X 802.1X Configuration Deployment Tool
One of the major hurdles of
implementing 802.1X is client configuration. End-users can't just
connect to a 802.1X network. The proper authentication settings must
be set in order to connect, and sometimes certificates need to be
installed.
To eliminate headaches for the end-users and support team,
administrators can preconfigure these settings for end-users by
creating a network profile for them and installing any required
certificates. If the network is running a Windows Server with Active
Directory, the settings and certificates can pushed to clients using
Group Policy. The Netsh utility can also help push settings to
Windows clients. However, these two approaches don't apply to
computers out of the domain, such as the end-users' own laptops.
For cases where end-users bring their own devices, such as in
educational institutions, administrators can create a wizard that
automatically configures the authentication settings by creating the
network profile for the end-user. The open source SU1X 802.1X
Configuration Deployment Tool is one solution that can help
administrators create the wizard. If you want to consider commercial
products or for comparison reasons, see my recent reviews for the
XpressConnect and Quick1X solutions.
In addition to setting the basic 802.1X settings, the SU1X 802.1X
tool can install certificates, turn on NAP, and edit the preferred
network profiles. It also add/remove networked printers and set
proxy server settings for IE and Firefox. The wizard's operations
and branding can even be customized by editing the INI file.
radclient
During the installation of any RADIUS
server, you'll need to do testing. Even after the initial
implementation, you might make changes or add RADIUS attributes. For
testing you can use real client devices, but you might also find it
convenient to use radclient when working in Linux.
This is an open source RADIUS client program you can use at the
command-line. It sends packets to a RADIUS server using the
attributes you specify and it will show the replies. If you're
running FreeRADIUS, radclient is already installed.
You might also want to check other (closed source but free)
utilities: Radlogin, NTRadPing, and RADIUS Test Rig Utility.
|
