NETGEAR 700 Series Switch User Manual


 
802.1x Port-Based Authentication Overview C-1
SM-10004-02
Appendix C
802.1x Port-Based Authentication Overview
This appendix provides an overview of802.1x security and configuration.
Understanding 802.1x Port Based Network Access Control
802.1x is well on its way to becoming an industry standard, and provides an effective wired and
wireless LAN security solution. Windows XP implements 802.1x natively, and the 700 Series
Managed Switch supports 802.1x. The 802.11i committee is specifying the use of 802.1x to
eventually become part of the 802.11 standard.
With 802.11 WEP, all wireless access points and client wireless adapters on a particular wireless
LAN must use the same encryption key. Each sending station encrypts data with a WEP key before
transmission, and the receiving station decrypts it using an identical key. This process reduces the
risk of someone passively monitoring the transmission and gaining access to the data transmitted
over the wireless connections.
However, a major problem with the 802.11 wireless standard is that the keys are cumbersome to
change. If you don't update the WEP keys often, an unauthorized person with a sniffing tool can
monitor your network for less than a day and decode the encrypted messages. In order to use
different keys, you must manually configure each access point and wireless adapter with new keys.
Products based on the 802.11 standard alone offer system administrators no effective method to
update the keys. This might not be too much of concern with a few users, but the job of renewing
keys on larger networks can be a monumental task. As a result, companies either don't use WEP at
all or maintain the same keys for weeks, months, and even years. Both cases significantly heighten
the wireless LAN's vulnerability to eavesdroppers.
IEEE 802.1x offers an effective framework for authenticating and controlling user traffic to a
protected network, as well as dynamically varying encryption keys. 802.1x ties a protocol called
EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports
multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates,
and public key authentication. For details on EAP specifically, refer to IETF's RFC 2284.