• Illustration: 802.1x in a Windows Environment

Support for 802.1x port-based network access control in Windows can prevent eavesdropping and unauthorized network access on both wired and wireless LANs. Windows 2003 Server and Windows XP are the first Microsoft OSs to have native support for 802.1x, which is used by some wireless access points and managed Ethernet switches to prevent non-authenticated or unauthorized individuals from gaining physical access to the network or to limit them to certain parts of the network. However, implementing 802.1x requires equipment designed for it.

What Is 802.1x?

802.1x is a networking protocol designed by the Institute of Electrical and Electronics Engineers (IEEE) to enable authentication and authorization of devices attached to LAN "ports" before they can have full use of the network. This enhances security by preventing unauthorized use of the network and by denying attackers physical access that would allow them to launch attacks against servers and other network resources.

In practice, two common LAN devices can use 802.1x: managed Ethernet switches and 802.11-based wireless access points (APs).

Ethernet switches. For Ethernet switches, the ports are the RJ-45 jacks found on the switches. Without 802.1x, any computer plugged into an Ethernet switch port receives all broadcast packets from other devices on the subnet, allowing attackers to learn the IP addresses of other devices and potentially hack into them if they have an open security hole.

Wireless LANs. In the case of wireless LANs, the ports are the AP’s individual radio channels. Without 802.1x, anyone in range of the AP can use a computer with a wireless adapter to eavesdrop on any port and use this information to gain access to the network. Attackers can also steal service on the LAN. Even APs using Wired Equivalent Privacy (WEP) security are at risk because WEP uses a shared encryption key that can be cracked with readily available tools. Although 802.1x alone does not perform encryption and thereby prevent eavesdropping on wireless LANs, it is a prerequisite for Wi-Fi Protected Access (WPA), which is replacing WEP and provides full privacy. WPA makes use of 802.1x’s ability to pass encryption keys securely to wireless devices as part of the authentication process.

Some 802.1x-enabled Ethernet switches and wireless APs allow non-authenticated "guest" users to have limited access to a particular "virtual LAN" (VLAN) constrained to a restricted area of the network or to the Internet only. For example, some companies may want to give their visitors access to the Internet using the same wireless network used by employees, but without exposing internal servers and other resources.

How Windows Supports 802.1x

To use 802.1x, organizations need APs (in the wireless case) or Ethernet switches (in the wired case) that support 802.1x; a server infrastructure to provide authentication services; and 802.1x client-side software on devices. Recent versions of Windows provide both server infrastructure and client-side software. (For a graphical overview and more details, see the illustration "Implementation of 802.1x in a Windows Environment".)

In particular, Windows Server 2003’s Internet Authentication Service (IAS) can function as an 802.1x authentication server.

Client-side support for 802.1x was first introduced in Windows XP, but Windows 2000 Service Pack 3 and a follow-on hotfix lets Windows 2000 Professional clients participate in networks that require 802.1x. Customers with Premier and Alliance support contracts can obtain 802.1x Authentication Client packages for Windows 98 and Windows NT 4.0 Workstation.

Windows CE .NET 4.x has native support for 802.1x, so devices running that OS and having 802.11 or Ethernet adapters will also be able to connect to 802.1x-enabled APs and switches.

Compliant Hardware Needed

Even with Windows support, companies need APs or Ethernet switches that support 802.1x to use the protocol. Much existing equipment does not support it, especially low-priced hardware aimed at the home market. Therefore, companies that believe they will adopt 802.1x will need to carefully review the capabilities of any network hardware that they plan to use.

In addition, setting up 802.1x is far from plug-and-play. Although 802.1x client-side configuration is fairly simple and can be set using Group Policy, setting up APs or switches to use 802.1x and configuring the IAS servers is complex and could involve setting up a certificate infrastructure depending on the options used.

Finally, organizations interested in using Windows Server 2003 to support 802.1x must pay attention to which edition of it they plan to use: Windows Server 2003 Web Edition cannot run IAS at all, and Standard Edition can only support 50 authenticated clients at a time.

Resources

A good white paper on using 802.1x to secure wireless networks can be found at www.microsoft.com/windows2000/techinfo/administration/security/wirelessec.asp.

For more on Wi-Fi Protected Access, see "Wi-Fi Protected Access for Windows" on page 7 of the May 2003 Update.

Windows 2000 SP3 (or later) clients who want to use 802.1x can obtain the necessary hotfix at support.microsoft.com/default.aspx?scid=kb;en-us;313664.

The complete details and specifications of 802.1x can be found at standards.ieee.org/getieee802/download/802.1X-2001.pdf.

For an extensive prescriptive guide on designing, building, and operating secure wireless LANs using 802.1x, see the "Microsoft Solution for Securing Wireless LANs" Patterns and Practices Guide at www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en.