{"id":2004,"date":"2003-11-03T00:00:00","date_gmt":"2003-11-03T00:00:00","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2003\/11\/03\/the-state-of-802-1x-in-the-client\/"},"modified":"2021-12-30T11:40:27","modified_gmt":"2021-12-30T11:40:27","slug":"the-state-of-802-1x-in-the-client","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2003\/11\/03\/the-state-of-802-1x-in-the-client\/","title":{"rendered":"The State of 802.1X in the Client"},"content":{"rendered":"<p>802.1X poised to replace the wireless-outside-the-firewall philosophy, if only clients existed: As WPA has started to percolate slowly, so slowly, into Wi-Fi equipment, I&#8217;ve seen the simultaneous rise of interest in 802.1X, an authentication method in which WEP or WPA keys can be assigned through a three-role authentication process.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>802.1X requires support in the client via the operating system or a third-party software application; in the access point, through the ability to accept EAP (extensible authentication protocol) messages and hand them off to a RADIUS or other authentication server defined in some area of the access point&#8217;s configuration; and an authentication server that can respond with the right information to initiate the keying process after credentials are accepted.<\/p>\n<p>None of these requirements is a high bar.<\/p>\n<p>Windows XP has shipped with an 802.1X client for some time, although it only supports a couple of flavors of secured EAP, in which the credential exchange is encrypted within tunnels.<\/p>\n<p>And virtually all mainstream RADIUS and similar servers are now equipped to talk 802.1X\/EAP using various secured EAP methods.<\/p>\n<p>The client is the weak point, because until last week, only Windows XP had a built-in 802.1X client.<\/p>\n<p>Mac OS X 10.3 (Panther) now includes 802.1X support, and they feature all of the EAP types, including PEAP, LEAP, EAP-TLS, EAP-TTLS, and MD5.<\/p>\n<p>(Because it&#8217;s a Mac, if you&#8217;re using a certificate-based EAP method, like EAP-TLS, you just drag a certificate from email into the Keychain program, and that&#8217;s that.)<\/p>\n<p>Other platforms and other versions of operating systems aren&#8217;t out of luck because they can turn to Meetinghouse, which supports flavors of Windows and Mac OS X (before 10.3), as well as Linux 2.4 and Solaris.<\/p>\n<p>WPA has driven this process faster, it seems to me, because WPA solves the key-changing problem.<\/p>\n<p>With WPA, an 802.1X system could change keys every few minutes &#8212; or weeks or years potentially &#8212; without any reduction in the level of security even with the TKIP key that&#8217;s available as part of the WPA standard.<\/p>\n<p>Another element driving 802.1X adoption is that it reduces VPN costs.<\/p>\n<p>If you&#8217;re using a wireless-outside-the-firewall approach that requires a VPN client on the local network to tunnel through, you can completely eliminate the VPN client and per-seat server costs.<\/p>\n<p>More info: [url=http:\/\/wifinetnews.com\/archives\/002434.html]http:\/\/wifinetnews.com\/archives\/002434.html[\/url]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-2004","post","type-post","status-publish","format-standard","hentry","category-trends"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2004","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=2004"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2004\/revisions"}],"predecessor-version":[{"id":4491,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2004\/revisions\/4491"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=2004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=2004"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=2004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}