Problem solve Get help with specific problems with your technologies, process and projects.

Locking down wireless hot spots with 802.1X

Hot spots can increase business productivity, but careless use can lead to corporate resource compromise.

Read about Lisa

Today, public wireless hot spots can be found in many airports, hotels, conference centers, and other venues frequented by business travelers.  In fact, business users are the primary source of revenue for hot spot operators, and the primary target for new services.

According to Biju Nair, VP of Mobility Solutions at PCTEL, many carriers hope to leverage hot spots to further penetrate enterprises.  "Larger revenues could be generated if [hot spot] services were part of an overall package of remote access services," said Nair.  But when carriers surveyed enterprise IT managers, "Their overwhelming concern was not price or availability, but whether [hot spot traffic] was secure."

Hot spots can increase business productivity, but careless use can lead to corporate resource compromise.  Without protection, usernames, passwords, and proprietary data sent over the air are easily captured.  Most hot spots use Web authentication with SSL to protect credentials.  But few hot spots use WEP encryption to protect data sent after login.

Shared key encryption can't provide individual user authentication or confidentiality.  Since everyone holds the key to decrypt everyone else's data, there's little gained by using static WEP in a network of strangers.  WPA-Personal provides stronger encryption, but still uses a shared passphrase that limits hot spot utility.  WPA-Enterprise combines stronger encryption with 802.1X user authentication and dynamic per-session keys.  Some carriers believe this combination holds great promise for hot spot security.

T-Mobile's enhanced WPA network

For example, T-Mobile has been testing 802.1X in selected hot spots for the past year.  Earlier this month, the carrier formally announced general availability of its "Enhanced WPA Network" at 4700+ hot spots.  Customers who download T-Mobile's updated Connection Manager will find the new service is used automatically wherever it's available.

By default, T-Mobile's Connection Manager -- a branded version of PCTEL's Roaming Client -- first tries to connect to a hidden, encrypted network named tmobile1x.  If that fails, it falls back to the standard (broadcasted, unencrypted) tmobile network.  Both networks are supported by the same Access Point, but the tmobile1x network requires authentication using 802.1X Port Access Control with EAP-TTLS, followed by data encryption using TKIP.

When connected to tmobile1x, data over the air is protected from eavesdropping and tampering by other users.  Protection across the Internet still requires something more, like a VPN.  However, airlink encryption can avoid leaking confidential data when browsing public Web sites or automatically trying to reconnect to NetBIOS fileshares.  If your VPN should fail to launch or disconnects unexpectedly, airlink encryption prevents accidental exposure.  In short, WPA-Enterprise better insulates hot spot users from each other, no matter which applications or Internet security measures they might use.

The 802.1X fine print

Airlink security is good news for enterprises concerned with worker exposure at hot spots, but using WPA-Enterprise in hot spots requires satisfying several prerequisites.

1. Users must have a WPA-capable wireless card. 

For new laptops, that's pretty much a given.  For internal/external cards purchased in 2003, WPA upgrades may be available -- check your product's Wi-Fi certification.  Those with older gear are out of luck, but can still use unencrypted networks like tmobile.

For compatibility with older equipment, Connection Manager lets you disable WPA.  But there's no option to require WPA.  If your connection to the Enhanced WPA Network fails, you'll be offered a connection to the Standard Network.  I found it a bit too easy to click through this prompt and end up with an unencrypted airlink.  Enterprises may prefer an option to stop users from connecting to any unencrypted network.

2. Users must have a hot spot account and credentials.

After network connectivity is established, Connection Manager launches a browser window that automatically logs the user into T-Mobile's server, using previously-stored credentials or prompting for login/password.  Those without an account (or with an expired account) are automatically redirected to T-Mobile's Sign-Up page.



3. Users must install a compatible Connection Manager. 

As PCTEL's Nair put it, "Expecting users to have all the software and configuration required to connect to 802.1X is not very user-friendly."  To avoid these external dependencies, Connection Manager includes PCTEL's 802.1X EAP-TTLS supplicant, pre-configured for T-Mobile hot spot use.

This bundled approach has benefits.  PCTEL's EAP-TTLS implementation is compatible with T-Mobile's authentication server and credentials, and keeps both the user's login and password private.  The Connection Manager automatically validates T-Mobile's server certificate, and that server validates the AP's identity, reducing risk of connecting to a rogue AP pretending to be a hot spot AP.  The opportunity for error or breach due to 802.1X mis-configuration is minimized.

On the other hand, requiring client software has well-known drawbacks.  If you're accustomed to using Windows XP Zero Configuration, Cisco's Aironet Client Utility, iPass Connect, or another 802.1X-capable wireless client, you won't be able to access T-Mobile's Enhanced WPA Network through that client.  Instead, you must install and launch Connection Manager when visiting a hot spot.  Conflicting programs (like Zero Config) are detected and optionally disabled when Connection Manager is launched, then restored upon exit.  This automation helps, but some users may find switching between wireless clients confusing.  Alternatively, you can add your own profiles to Connection Manager to access private (home or office) WLANs.

Options exist for saving your password and enabling automatic connections, making login almost (but not completely) transparent.However, such options should be used with great care.Saved credentials are a security risk on a lost or unattended laptop.Worse, you could end up paying for connections made whenever your active card is within hot spot range, whether you used the network or not. Users who roam to other provider's hot spots must wait for broader 802.1X support.For example, iPass customers can use any T-Mobile Standard Network, but can't yet use their iPass credentials on T-Mobile's Enhanced WPA Network.According to iPass CTO Roy Albert, these two companies are engaged in design work to proxy 802.1X requests from iPass users at T-Mobile hot spots into the iPass authentication network.iPass hopes to have 802.1X/WPA authentication in place for iPass users by Q205.

Getting started

T-Mobile's rollout shows that some carriers will invest in 802.1X to address enterprise security concerns.  It's a bit early to tell how 802.1X will fare in hot spots, but we can certainly expect continued evolution.



Companies with corporate hot spot accounts should evaluate their provider's existing and planned support for 802.1X.  Review hardware and software and proxy requirements, considering your own plans for internal 802.1X use, to decide whether and when to make the switch.  Hot spot airlink security isn't going to eliminate your need for remote access VPNs, but it can still reduce risk for workers who frequent public hot spots.

About the author
As companies upgrade their enterprise WLANs from WPA to WPA2 (802.11i), carriers will probably follow suit.We'll see 802.1X hot spot authentication proxied between carriers and perhaps to enterprise-owned authentication servers.802.1X will find its way into mobile devices like smartphones to facilitate roaming between wireless LANs and WANs.Hot spot clients like PCTEL's will continue to fill the gap between what operating systems offer and hot spot providers need to deliver secure services to enterprise subscribers. For now, I recommend that individual subscribers check their favorite provider's hot spot client to see whether 802.1X is supported.If so, verify your wireless card and software compatibility.You might have to get familiar with a new client, but you'll probably find that an 802.1X hot spot is no harder to use than an unencrypted hot spot. : Lisa Phifer is vice president of Core Competence, Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to and
This was last published in October 2004

Dig Deeper on Network protocols and standards