Various 802.1x Supplicants

by bharat on May 20, 2010

How can i make  sure the network i am laying for my enterprise is perfectly secured and avoiding any intruder by all means, is common thought of any network administrator. Previously network consists of only hard wired machines and accessibility to network was only bound by accessibility of physical port. But scenario is not same now.

With the induction of Wi-Fi devices like laptop and hand handled smart phones the security of network from intruder has increasingly become a complex task . Wi-Fi devices are not bound by physical port and any one even outside the enterprise but with in the range of Wi-Fi network practically has access to your enterprise network .This news was enough to give network administrators sleepless nights . So to secure networks mainly in enterprises various security protocols and components were invented one of them is supplicant .

Basically a supplicant is a piece of software which sits on client side,communicate to Authentication server and negotiate  authenticity  of client , and play an important part in maintaining the integrity of network .Let us try to analyze why do we need look for different type of supplicant below are some important point of discussions.

  • Some times we are looking for some additional features e.g   Microsoft in windows zero config has included native support for two popular EAP types: EAP-TLS (server and client certificate authentication) and EAP-PEAP (server-only certificate authentication), if you are looking for more authentication types then you have to look for other supplicants .
  • If the network is made up of Cisco gear, you might prefer to use Cisco’s EAP protocol (EAP-FAST), which isn’t natively supported by Windows zero config and you prefer to migrate for cisco supplicant which have high compatibility with cisco authentication servers.
  • Some clients even give you additional functionality, such as the ability to block users from changing the 802.1X client settings, so they can’t open themselves up to potential attacks by local eavesdroppers.
  • Some clients also include deployment tools to help distribute the digital certificates to clients for when using protocols like EAP-TLS or EAP-PEAP with a self-signed certificate.
  • For uniformity of configuration over multiple operating systems.

  Below is the list of various supplicants available and different features supported by them

XSupplicant is the cool open source supplicant maintained by open source community . it is available for windows XP and Linux both for 32 and 64 bit architecture. GUI for both Win XP and Linux is available.you can download this supplicant from here. Various features of this supplicant are

    • EAP-AKA
    • EAP-FAST
    • EAP-GTC
    • EAP-LEAP
    • EAP-MD5
    • EAP-MSCHAPv2
    • EAP-OTP
    • EAP-PEAP
    • EAP-SIM
    • EAP-TLS
    • EAP-TNC
    • EAP-TTLS

it also support advance logging features and configuration for various advanced authentication features and timers is very easy.

SecureW2 Enterprise Client ,  is commercial solution by SecureW2 B.V.(dutch corporation) , it supports both WInXP and Win 7 . it supports both wired and wireless connection and wireless connection automatically turned off as soon wired connection comes in effect . it supports configuration lock down so as to avoid tampering . Single sign on is also supported with various encryption algorithms like WPA/WPA2/Dynamic Wep etc .

The SecureW2 Enterprise Client supports the following EAP types:

    • EAP-GTC
    • EAP-PEAP
    • EAP-SIM
    • EAP-TTLS

SecureW2 can also help out on the deployment. It can provision the authentication settings via XML, INF or INI for silent and non-silent installations. It can also create MSI packages containing both the settings and the X.509 Certificates.

Cisco Secure Services Client  Cisco Secure Services Client (SSC) is a software supplicant that helps you deploy a single authentication framework to access both wired and wireless networks. It provides 802.1X (Layer 2) user and device authentication and manages user and device identity and the network-access protocols required for secure access.It’s actually a rebranded and updated version of Meetinghouse’s old AEGIS SecureConnect software application. It provides support for a variety of EAP types, including their own:

    • EAP-FAST
    • EAP-GTC (Windows 2000/XP only)
    • EAP-LEAP
    • EAP-MD5 (Windows 2000/XP only)
    • EAP-PEAP
    • EAP-TLS (Windows 2000/XP only)
    • EAP-TTLS (Windows 2000/XP only)

The Cisco Secure Services Client features integrated VPN client capabilities, XML-based provisioning of authentication details, and the ability prevent configuration changes by the end-users

WPA_Supplicant is open source initiative and available for various operating systems like Linux , Win Xp, Free BSD , MAC , OSX etc , code structure is such that it can be easily complied for various other operating systems and drivers.it has both command mode (wpa_cli) and GUI mode (wpa_gui) for configuration, it is quite advance and up to date supplicant and does support newly developed features like WPS(wi-fi protected setup) and 802.11 r (fast roaming), WPS is only supported for WPA/WPA2-PSK. Long list of EAP types supported by wpa_supplicant is as follows

    • EAP-AKA
    • EAP-FAST
    • EAP-GPSK
    • EAP-GTC
    • EAP-IKEv2
    • EAP-LEAP
    • EAP-MD5
    • EAP-MSCHAPv2
    • EAP-OTP
    • EAP-PAX
    • EAP-PEAP
    • EAP-SAKE
    • EAP-SIM
    • EAP-TLS
    • EAP-TNC
    • EAP-TTLS

Before selecting any  supplicant we should first think of our requirement and then the feature set of supplicant . Further ease of configuration for should also be taken care of .If select too bulky supplicant with mammoth options for configuration  we may end up never using it perfectly . Do let me know you opinion in the comments section.

Leave a Comment

Previous post: