Understanding 802.1x, The me103 802.1 – NETGEAR ME103 User Manual

Reference Manual for the ME103 802.11b ProSafe Wireless Access Point

Wireless Networking Basics

B-9

August 2003

Understanding 802.1x Port Based Network Access Control

802.1x is well on its way to becoming an industry standard, and provides an effective wireless
LAN security solution. Windows XP implements 802.1x natively, and the ME103 802.11b
ProSafe Wireless Access Point supports 802.1x. The 802.11i committee is specifying the use of
802.1x to eventually become part of the 802.11 standard.

With 802.11b WEP, all access points and client wireless adapters on a particular wireless LAN
must use the same encryption key. Each sending station encrypts data with a WEP key before
transmission, and the receiving station decrypts it using an identical key. This process reduces the
risk of someone passively monitoring the transmission and gaining access to the data transmitted
over the wireless connections.

However, a major problem with the 802.11 standard is that the keys are cumbersome to change. If
you don't update the WEP keys often, an unauthorized person with a sniffing tool can monitor your
network for less than a day and decode the encrypted messages. In order to use different keys, you
must manually configure each access point and wireless adapter with new keys.

Products based on the 802.11 standard alone offer system administrators no effective method to
update the keys. This might not be too much of concern with a few users, but the job of renewing
keys on larger networks can be a monumental task. As a result, companies either don't use WEP at
all or maintain the same keys for weeks, months, and even years. Both cases significantly heighten
the wireless LAN's vulnerability to eavesdroppers.

IEEE 802.1x offers an effective framework for authenticating and controlling user traffic to a
protected network, as well as dynamically varying encryption keys. 802.1x ties a protocol called
EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports
multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates,
and public key authentication. For details on EAP specifically, refer to IETF's RFC 2284.