Can I connect both wireless and wired LAN clients using 802.1x and EAP when I have a workgroup rather than an Active Directory Domain, and when my LAN has Windows XP SP2? Do I need a dedicated machine as an authentication server and digital certificates installed on both the LAN machine(s) and the wireless device?
Yes, 802.1X supports a wide variety of authentication methods and user databases, and can generally be used for authenticating both wired and wireless LAN clients onto the same core network.
In your case, you want to authenticate users based on their existing Windows logins and passwords. This does indeed require you to have an authentication server, although that server does not have to be a dedicated machine. For example, you can run a RADIUS server program (for example, FreeRADIUS) on the PC that serves as your Windows primary domain controller. That PC does not have to be an Active Directory server, but it must have a list of all the legitimate usernames and their passwords. If you don't want to use a Windows domain, you could just create a local user list in your RADIUS server.
Once you have the authentication server and user list in place, you'll need to configure your AP(s) to relay 802.1X access requests to that authentication server -- typically that means configuring the authentication server's IP address and RADIUS secret into each AP, and configuring the authentication server with the same secret and the range of IP addresses that belong to your APs.
Finally, you need to choose an EAP type that supports username/password authentication. In a network of Windows XP systems, the easiest EAP type to choose is Protected EAP (PEAP) with MS-CHAPv2. This type of 802.1X client software (called a supplicant) is already included in Windows XP SP2, and you will not need certificates for each client. However, your authentication server will need one certificate for itself, and you will need to configure clients to recognize and accept that server's certificate. Self-signed certificates can be generated using open source code like OpenSSL.
Once you have this all set up, you will need to configure your AP(s) and Ethernet switch(es) to require 802.1X for all connections. Every client (wired or wireless) will then be prompted for its username and password when it tries to connect to the LAN, before it can receive an IP address or communicate with any other system.
Note that it is not necessary for every system to use 802.1X in order to communicate with other systems on your network -- it is only necessary for every system to get connected, with a valid IP address. For example, you could have Ethernet clients plugged directly into uncontrolled LAN ports, while simultaneously requiring WPA-Enterprise (802.1X) for wireless clients. Only the wireless clients will end up using 802.1X; the wired clients will get unauthenticated access to the network. However, both end up with link layer access to the same network and will be subject to the same access controls once traffic enters that network. For example, if a particular server requires users to log into a Windows domain before using a fileshare, this will be true for both wired and wireless clients, no matter how they connected to the network.
This was first published in May 2007