Distributing 802.1X Settings to your Clients

Distributing 802.1X Settings to your Clients

By CWNP On 09/09/2010 - 20 Comments

Businesses and organizations should use Enterprise-level Wi-Fi Protected Access—preferably WPA2 with AES encryption—to secure their WLAN, which requires the use of a RADIUS server for the 802.1X authentication. However, you'll probably find that configuring the end-users is a road-block, or at least a big speed bump, to your 802.1X implementation. As the owner of a hosted 802.1X service, I see this problem daily. In Windows you can't simply just connect to these types of networks—you must preconfigure the 802.1X settings. You'll likely see an increase in trouble calls and visits to the help desk.

Although 802.1X can be a nuisance to configure, it is an essential part of Wi-Fi security. So I’ll share a few ways to preconfigure the network and authentication settings on the clients. This will help alleviate some of the stress from the end-users and help desk staff.

If you’re running a domain network with Windows Server and Active Directory, try pushing the network profiles to the computers using Group Policy. If you’re running Windows Server 2003, bring up the Group Policy snap-in on the Microsoft Management Console (MMC) and navigate to Computer Configuration > Security Settings. If you’re running Windows Server 2008 or 2008 R2, use the Group Policy Management Console (GPMC) and navigate to Computer Configuration > Policies > Windows Settings > Security Settings. Once you’re there, create a Wireless Network (IEEE 802.11) Policy and create a preferred network entry.

Keep in mind, Group Policy won’t communicate with  Mac or Linux machines, or end-users that are working from their own computers and devices. In these cases (or if you aren’t running a Windows Server), consider using a third-party solution. XpressConnect from Cloudpath Networks and Quick1X from Avenda Systems are two examples.

Actually, I recently did an independent review on both of these solutions, as part of my freelance writing. You can check out both the XpressConnect review and Quick1X review at EnterpriseNetworkingPlanet.

These solutions let you define the network settings and generate a client wizard which automatically configures end-user computers, and possibly mobile phones. Then you can setup a captive portal on your network where unconfigured users are asked to download and run the wizard. Voilà, they’re secured without getting frustrated or calling the IT department. Another option is to hand out this wizard on USB drives and CDs, or offer as a download on your website.

Good luck on your 802.1X implementation!

Eric Geier is the founder and CEO of NoWiresSecurity, which provides a hosted RADIUS service for 802.1X authentication. He is also a freelance tech writer and has authored several books from major publishers like Cisco Press and For Dummies.

Tagged with: 802.1X, radius, Group Policy, Cloudpath, Xpressconnect, Avenda

Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.