Summary

In this chapter, we discussed the 802.1x framework and EAP authentication methods. 802.1x has three basic components: a supplicant, an authenticator, and an authentication server. When you are selecting hardware for your environment, always remember that 802.1x (as well as your chosen EAP method) must be supported across all components.

802.1x is extremely effective in securing 802.11 networks because it supports dynamic key generation and is not vulnerable to the many attacks that have plagued the 802.11 protocol. Unlike legacy WEP, which used static keys that everybody shared, 802.1x can now generate dynamic, per-user or per-session keys. Furthermore, now that we can uniquely identify users, we can perform all kinds of AAA activities that were never before possible. This enables per-user policy enforcement (such as time/date restrictions). For example, once we know it is Stephanie from Accounting logging onto the wireless network, we can do things like block access because it's after a certain time. This was never possible with systems based on legacy WEP.

Remember that 802.1x is simply a framework for talking EAP across a wired or wireless network. EAP, itself, is also a framework for using multiple authentication methods. Therefore, the EAP type you choose will be the primary driver behind how hard it will be to implement 802.1x, as well as how secure the network will be. Some EAP methods are harder to install than others (because they require a PKI infrastructure), and some will be more secure than others (because they rely on a more advanced encryption algorithm or security technique). All of these factors must be considered carefully when choosing an EAP method.