Third-Party 802.1X Clients/Supplicants for Windows, Linux or Mac OS X

Using Third-Party 802.1X Clients on Windows, Linux or Mac

By Eric Geier (NoWiresSecurity Founder & CEO) - originally published on EnterpriseNetworkingPlanet.com

Whether you're using 802.1X authentication for enterprise Wi-Fi encryption and/or for locking down the wired ports, you must use an 802.1X client on the end-user computer or device.

You might also hear the client referred to by its technical role as the supplicant. This is a small piece of software that understands the Extensible Authentication Protocols (EAP) and interacts with the Authenticator (wireless access point or wired switch), which in turn talks to the RADIUS/AAA server to complete the circuit.

Microsoft has included native support for 802.1X authentication since Windows XP, supporting two popular EAP types: EAP-TLS (server and client certificate authentication) and EAP-PEAP (server-only certificate authentication).

If you're working with a more current 802.1X roll-out, you can likely just use the built-in client of Windows. However, in some cases you might have to or prefer to use a third-party client; here are a few examples:

If the network is made up of Cisco gear, you might prefer to use Cisco's EAP protocol (EAP-FAST), which isn't natively supported by Windows.
Some clients even give you additional functionality, such as the ability to block users from changing the 802.1X client settings, so they can't open themselves up to potential attacks by local eavesdroppers.
Some clients also include deployment tools to help distribute the digital certificates to clients for when using protocols like EAP-TLS or EAP-PEAP with a self-signed certificate.
For uniformity of configuration over multiple operating systems.

XSupplicant by Open1X

The first third-party 802.1X client we're going to look at is XSupplicant, an open source project maintained by Open1X and backed by OpenSEA. It supports both wireless and wired authentication. It offers a GUI application for both Windows (only XP) and Linux to manage your Wi-Fi interface and to configure the authentication settings. The biggest advantage of using this aftermarket supplicant is the wide range of EAP types supported:

EAP-AKA
EAP-FAST
EAP-GTC
EAP-LEAP
EAP-MD5
EAP-MSCHAPv2
EAP-OTP
EAP-PEAP
EAP-SIM
EAP-TLS
EAP-TNC
EAP-TTLS

Unfortunately, XSupplicant doesn't offer additional security or deployment features. However, it does include a logging feature and the ability to easily set advanced authentication settings and timers.

SecureW2 Enterprise Client

The SecureW2 Enterprise Client is a commercial solution by SecureW2 B.V. (a Dutch Corporation), supporting both wireless and wired connections. They provide a GUI application for Windows (up to Windows 7) and Windows Mobile to configure the authentication settings. This works right alongside the built-in wireless utility of Windows without replacing it, unlike most other 802.1X supplicants.

The SecureW2 Enterprise Client supports the following EAP types:

EAP-GTC
EAP-PEAP
EAP-SIM
EAP-TTLS

This client provides a few interesting security enhancements over what Windows provides. It can, for example, disable the Wi-Fi when a wired connection is established. The client can also lockdown the authentication settings after deployment to prevent tampering or accidental changes.

SecureW2 can also help out on the deployment. It can provision the authentication settings via XML, INF or INI for silent and non-silent installations. It can also create MSI packages containing both the settings and the X.509 Certificates.

Cisco Secure Services Client

Of course, if you're using Cisco gear you might consider using their solution, the Cisco Secure Services Client. It's a GUI application currently available for Windows 2000, XP, and Vista. It's actually a rebranded and updated version of Meetinghouse's old AEGIS SecureConnect software application. It provides support for a variety of EAP types, including their own:

EAP-FAST
EAP-GTC (Windows 2000/XP only)
EAP-LEAP
EAP-MD5 (Windows 2000/XP only)
EAP-PEAP
EAP-TLS (Windows 2000/XP only)
EAP-TTLS (Windows 2000/XP only)

The Cisco Secure Services Client features integrated VPN client capabilities, XML-based provisioning of authentication details, and the ability prevent configuration changes by the end-users.

WPA_Supplicant

The wpa_supplicant is an open source project designed for Linux, BSD, Mac OS X, and Windows. Its main advantage is the portability of different drivers and operating systems. It includes a text-based frontend (wpa_cli) along with a GUI (wpa_gui). It also supports a long list of EAP types:

EAP-AKA
EAP-FAST
EAP-GPSK
EAP-GTC
EAP-IKEv2
EAP-LEAP
EAP-MD5
EAP-MSCHAPv2
EAP-OTP
EAP-PAX
EAP-PEAP
EAP-SAKE
EAP-SIM
EAP-TLS
EAP-TNC
EAP-TTLS

Unfortunately, the wpa_supplicant doesn't offer security or deployment enhancements like some of the other clients. However it does include support for Wi-Fi Protected Setup (WPS), great if you're using WPA/WPA2-PSK and aren't already using an OS (like Windows 7) that natively supports it.

XpressConnect From Cloudpath Networks

XpressConnect from Cloudpath Networks isn't an 802.1X supplicant, but enhances the built-in clients of operating systems. It helps configure and distribute the 802.1X authentication settings among Windows, Mac OS X, Ubuntu, and handheld devices, including iPhone. It even helps you manage the firewall settings, Windows Automatic Updates, and the deployment of hotfixes.

XpressConnect uses unique techniques to provision the configuration, which includes using an open SSID, a CD, a USB flash drive, or Group Policy (GPO). It will create the wireless profile, resolve third-party wireless utility conflicts, and configure the 802.1X supplicant. It's wizard-based and easily guides the user through the 802.1X process.