It is important to choose a 802.1x type that is most compatible with the
existing network. The available methods are LEAP, EAP, and PEAP. 802.1x does
not specify what authentication types to use. The main considerations when
choosing an authentication type are easy integration and adequate security.
Figure
provides a
listing of the major elements to consider before deploying 802.1x based
security:
- Choose a method that fits in with the existing network.
- Choose a method that supports mutual authentication.
- Review the security policy and find out what 802.1x types are compatible.
Finally, look at the clients to be protected and choose the best way to
secure the existing equipment.
LEAP
LEAP provides a complete
WLAN solution. LEAP should be used when a single logon to the Windows NT domain
or Active Directory is required. Active Directory is an essential component of
the Windows 2000 architecture and presents organizations with a directory
service designed for distributed computing environments. Active Directory
allows organizations to centrally manage and share information on network
resources and users while acting as the central authority for network security.
In addition to providing comprehensive directory services to a Windows
environment, Active Directory is designed to be a consolidation point for
isolating, migrating, centrally managing, and reducing the number of
directories that companies require.
LEAP can also be used when dynamic
WEP key and mutual authentication is required. Remember that TKIP should be
used to secure LEAP.
EAP-TLS
EAP should be used when there is
a need to use digital certificates for user identification. EAP is the best
solution when there is an existing Public Key Infrastructure (PKI) in place.
PKI ensures that sensitive electronic communications are private and protected
from tampering. It provides assurances in the identities of the participants in
those transactions, and prevents their later denial of participation in the
transaction.
EAP-TLS can also be used to associate login with NT/2000
and Lightweight Directory Access Protocol (LDAP). LDAP allows users to take
advantage of directory services to integrate Network Registrar client and lease
information. By building on the existing standard schema for objects stored in
LDAP directories, users can handle information about dynamic host configuration
protocol (DHCP) client entries. So, instead of maintaining client information
in the DHCP server database, the Network Registrar DHCP server can be asked to
issue queries to one or more LDAP servers for information in response to DHCP
client requests.
PEAP
PEAP can be used when dynamic WEP key
and mutual authentication is required. Remember that TKIP should be used to
secure LEAP.
EAP-TLS can also be used to associate login with NT/2000,
LDAP, Novell Directory Services (NDS), one-time passwords (OTP) servers, and
structured query language (SQL) database servers. When using PEAP, digital
certificates are required only on the server side.