Forum

Hi all,

Im looking for some advice and/or real world experience related to this topic.

Im investigating the feasibility of using an existing centralised Radius and LDAP archirtecture to authenticate and secure 802.1x/EAP-TLS based WLANs at remote sites.

The environment would look something like this:

- 1 or possibly two WLANs per site, 1 site per country.

- Each WLAN would have no more than 30 wireless clients.

- Each country would have a direct WAN link to a regional datacentre (same continent, but likely a different country), where a Radius server and LDAP server may be located.

- WAN link may be anything between T1 and STM1, depending on country. No WAN link experiences more than 60% peak utilisation.

- dot1x and EAP-TLS authentication should be against regional RADIUS and LDAP.

- CA's and CRL available at the regional DC's.

- Assume there cant be any in-country certificate or authentication services, clients must use the regional services.

My questions:

1) Latency - how tolerant would the EAPOL authentication traffic be to latency?

2)regular re-keying for encryption - could also be affected by latency?

3)Certificate distribution and enrollment for end devices could be a headache - any advice or tips?

4)WLAN users roaming between AP's, fast and secure roaming technology, which one?

I guess 1 and 2 can be mitigated with adequate clasification and queuing/QoS measures on the WAN link as and when needed, but its more of a general question, is that type of traffic adversley affected?


Any comments would be appreciated, have I missed any other important points that should be considered?


Thanks.

I'll help as much as I can:

1) I'm really not sure about what type of latency requirements there are for EAPoL transactions. I know that many RADIUS and controller vendors advertise that you can do the type of centralized authentication you are describing, but I don't have any personal experience with it.

2) If you use WPA or WPA2 encryption, re-keying typically only happens regularly for group encryption keys. I don't think re-keying would pose a problem for you.

3) I don't have any tips on certificates other than to say when I was with a large consulting firm back in the day, we used an application that could push certificates out to all of our end users. I can't remember what it was, unfortunately.

One thing I use now for test environments that may help a bit is the Odyssey CA and Odyssey CR from Juniper/Funk software. You can download both for free from www.funk.com. If you load the CR on clients it makes it a relative snap for them to hit the CA and get a certificate. Again, I've only used it thus far in testing environments, so it may not scale to what you need.

4) You might want to consider APs that support 802.11F IAPP. I've used Proxim AP-4000s, which support IAPP. By using IAPP, I've found a very consistently fast handoff when roaming with those APs. The one thing I don't know is if those APs support 802.11i PMK caching or pre-authentication. It would seem to me that since there has to be some latency when a client roams because of the centralized authentication, having pre-authentication via IAPP-enabled APs would be a great help.

Another option is to try a WLAN controller. They are expensive, but companies like Aruba sell controllers with APs that can automatically build IPSec tunnels to a centralized controller over a WAN connection. This may help with easily getting remote APs configured/managed as well as speeding up roaming.

The system we have in place right now uses two Radius servers in different cities in the US. We have multiple sites with wireles switch infrastruture. We implemented TTLS, so the only certificates are for the servers. Additionally, the Radius acts as a proxy to Active Directory. Even with this we have not seen any problems with the EAPOL traffic delays. Wnet with TTLS just so we wouldn't have to deal with client certificates.

Wade Mackey

Thanks for the responses and tips, much appreciated. You've given me some things to think about.