Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What is the best solution for access control on a wireless network?

What is the best solution for access control on a wireless network? We have just received our Cisco 1200 access points and can't use EAP, PEAP nor LEAP. Any suggestions?

Also, can this be solved with attributes within a Microsoft radius server and where would I find what attributes to put in?
Various EAP types (EAP-TLS, PEAP, and the older LEAP) are used with 802.1X to control access to wireless LANs at the access point. With any of these methods, the station associates with the AP and supplies its identity. The AP relays the station's access request a RADIUS server located somewhere behind the AP (i.e., inside the protected network). The RADIUS server will then send a series of RADIUS Challenge/Response messages, with the actual content dependent upon EAP type. The AP forwards EAP messages to the station until the RADIUS server is satisfied and accepts or rejects the station's access request. If the request is accepted, the station is given access to the "port" on the AP and permitted to send and receive WLAN traffic to the adjacent network.

This is currently the most robust solution for controlling access to the WLAN itself. A common but far less robust method is to apply simple MAC address control lists at the AP, permitting access only by those stations on the list. Another common method is to enforce access control somewhere BEHIND the AP, at the edge of an adjacent network. For example, in most hotspots, a gateway redirects HTTP traffic sent to ports 80/443 to a web login page. After the user logs into the web portal, he can send web or any other traffic through the gateway (for example, into the Internet). Web portals can usually be linked to a back-end user database (RADIUS, LDAP) to assist in authentication. There are two essential differences between a web portal and 802.1X (or MAC ACLs):

  • 802.1X controls access to the AP, and therefore the WLAN, while web portals control access to an adjacent network only.
  • 802.1X usually (but not always) operates transparently, logging the station into the WLAN without user intervention, while web portals use interactive user prompting and login/password entry.

    You do not say why you can't use 802.1X with LEAP, PEAP, or EAP-TLS, but I will guess that your stations do not support 802.1X. If you were using Cisco wireless cards on your stations, you would be able to use Cisco's client software which supports 802.1X and LEAP/PEAP. If you are using other-vendor cards, on non-Windows operating systems, you may have trouble finding compatible "EAP supplicant" software. If this is your case, then a web portal can help you glue together unlike systems under one common authentication gateway.

    Both 802.1X-enabled APs and web login portals can be integrated with RADIUS servers, but the RADIUS attributes used depend on the standard and the product's implementation. For example, to read about how RADIUS carries EAP (used by 802.1X), see RFC 3579.

  • This was last published in October 2003

    Dig Deeper on Mobile and wireless network technology