Why 802.1X is the Best Choice for Large Scale Wireless Network Design

Regardless of the WLAN platform that you are using undoubtedly you have wondered “what authentication method is best for my large scale wireless network?”  I am glad you asked since I have some opinions on this matter and I was going to offer to share them with you.

Without going into a long dissection of the pros and cons of each type of authentication method used for wireless I am going to focus on just one method. The method I am focusing on is one that fits specifically large scale wireless network designs the best.

The method I recommend to my customers is 802.1x authentication.  By definition 802.1x is an IEEE standard for port based authentication which was originally designed for wired network authentication and later leveraged to provide the same services to wireless. It is typically only implemented in large networks such as campus or enterprise networks.

My recommendation for 802.1x in large scale wireless networks is based on several reasons as I will point out for you.

- 802.1x allows for the use of certificates and/or user credentials for authentication to the network. This provides for a much simpler implementation than using pre-shared keys (PSK) which does not scale well. Think about how to get a PSK out to all your users and then make sure that no one else discovers the key and uses it unauthorized. This cannot be accomplished efficiently. I have some education customers who are still using this method and they have to change the PSK every time it gets discovered or let out which is easily and often.

- 802.1x allows authentication to occur through the use of certificates (EAP-TLS) or user credentials (EAP-MSCHAPv2). This bodes well for the network administrator since they can manage both of these requirements from one place, their server.

- 802.1x uses backend infrastructure which is most likely already in place. Almost all of our customers are Microsoft domain environments and they already have Windows servers with Active Directory and their users have accounts with names, passwords and group assignments. Some of our customers have even opted to go the open source route and use OpenLDAP and FreeRADIUS for their networks. Having 802.1x rely on these databases greatly simplifies the implementation and administration.

- Group Policy in Windows Server or Profile Manager in OS X Server allows for the ability to push out wireless supplicant profiles to machines and devices managed by these servers. In the Windows domain environment this is all the machines managed by group policy. By creating a wireless security profile for your domain machines you can avoid having to manually configure all these machines. In Apple’s Profile Manager there is even a provision for the end user to connect to a web portal and download the configuration themselves.

Ease of Use

- The ease of use is from the end user perspective because at most all they need to do is enter in their network credentials, when prompted by their wireless supplicant, to get authenticated to the network. This typically happens only once and they never get pestered again for these credentials unless the password changes or their certificate is revoked. Unlike captive portals which typically require signing in every so many hours or after timing out 802.1x authentication is done once on the user side and after that the rest is negotiated in the background unbeknownst to the user.

- 802.1x authentication with certificates makes it even easier. The device does all the authentication work by presenting to the authenticator, the server, the client certificate and the server presents its certificate for verification by the device. This process is invisible to the end user and allows them to use the device unhindered with processes.

- If the machine is managed through a group policy or profile manager the end user also does not have to manually configure their device for connection. Removing this requirement or automating it in some way ensures successful authentication and connection and high user satisfaction.

Support

- Nearly all devices on the market that are expected to be connected to a wireless network include an 802.1x supplicant and those that don’t have 3^rd party options to load one. Printers and some game consoles may be the exception but I have seen some starting to provide support for this method.

- Support  for 802.1x can be found in all Windows OS’es since as far back as WinNT. MacOS has supported it for as long as I have been doing large scale wireless (8yrs). The iOS devices all support 802.1x natively. Android also has an 802.1x supplicant natively built in to their OS for phones, tablets, and even their Chromebooks.

Scalability

- 802.1x allows for the management of users, devices, profiles, certificates, etc… from single management points and the solutions for profile management allow automated or simplified roll outs of the technology.

Security

- 802.1x authentication keys are negotiated between the device and the server doing the authentication. They are individual and are not shared like PSKs.

- 802.1x authentication combined with AES encryption ensures keys are well protected from being hacked. (The use of AES cipher instead of TKIP also means you will get full benefits of 802.11n speeds on your WLAN. Penalties exist for using TKIP with 802.11n)

- If your WLAN solution supports it CoA (change of authorization RFC-3576) can be employed to deny users to the network by revoking their credentials or certificates. This revocation immediately will disconnect users from the network.  

- Attributes returned from an authentication server can be used to place users into roles like Student, Staff, Contractor, or Visitor. With these role assignments and the proper WLAN solution you can apply policies to these roles that define what they can access on your network. This is commonly known as Role Based Access Control (RBAC).