“You can't solve social problems with software” – Marcus Ranum
We have covered two sources of WiFi threats in my previous blog posts – Rogue AP and Client mis-configurations. It has been encouraging to see quality comments from readers – some of them have pointed out why 802.1X is the “preferred” way to mitigate the Rogue AP problem. In this post, we will dig a little bit deeper into this. IEEE 802.1X port-based access control provides an authentication mechanism for devices wishing to communicate via a port (e.g., a LAN port). If the authentication fails, it disallows further communication via the port. 802.1X is a simple form of Network Access Control (NAC) solution – a generalized NAC can provide additional functionality such as fine-grained access control, identity management, access management, and quarantining non-compliant clients (e.g., ones without proper anti-virus protection).
I think that 802.1X is a good first step in securing your network from Rogue APs. It does provide some control on the relatively deterministic part of the problem – the wire. However, as I had hinted in my earlier post, I believe that 802.1X (or even a generalized NAC, for that matter) alone is not sufficient for mitigating Rogue APs. Here are my reasons: