Security Solutions
3-20
Designing Access Controls
Choose the Access Control Methods
■ Do your endpoints have 802.1X supplicants?
Most reasonably up-to-date endpoints will meet this requirement.
The following Windows versions include a native 802.1X supplicant:
•Windows Vista
•Windows XP
• Windows 2000 Service Pack (SP) 3 or later
Mac OS X 10.3 also provides native support for 802.1X. The OpenX project
has developed the Xsupplicant for Linux systems.
In addition, many vendors of wireless NICs include a wireless client with
an 802.1X supplicant as part of the product.
Note It is assumed that since you are designing a network access control
solution, you have a RADIUS server, which is required for 802.1X authen-
tication.
■ How will the necessary settings be configured on the supplicant?
The following options need to be configured for 802.1X authentication:
• EAP method—For EAP-Tunneled Transport Layer Security (TTLS)
and Protected EAP (PEAP), you must also select the inner method.
(For more information about EAP methods, see “Select an EAP
Method for 802.1X” on page 3-101.)
• Credentials—For example, the native Windows supplicant automat-
ically submits the Windows login name and password for PEAP
authentication. Are these the correct credentials in your environment,
or will users need to disable this option?
You must decide who will configure the settings. Is this a service the IT
staff can provide? Or will you educate the users by providing classes or
written documentation to guide them through the configuration process?
■ Do endpoints’ wireless NICs support WPA/WPA2?
Almost all wireless NICs now support the TKIP or AES encryption man-
dated by WPA/WPA2.
If your answers to the first two questions lead you to believe that your
environment cannot support WPA/WPA2 with 802.1X authentication, you
should choose WPA/WPA2-PSK encryption.
If, in answering the third question you discovered that your wireless NICs
support WEP only, you might decide to update your equipment or to use
dynamic WEP encryption.