A Very Funky 802.1x Security Solution

Funk Software, which develops RADIUS solutions, announced an 802.1x security solution Monday that it calls Odyssey. The company stated that Odyssey is an end-to-end security solution for WLANs permitting secure user access and easy deployment over an enterprise network.

Odyssey, which includes client and server software, supports the 802.1x security method EAPTLS included in Windows XP. It also introduces support for what is called EAP-TTLS, an explanation of which can be found in an IETF (Internet Engineering Task Force) task force draft.

Funk Sofware explained that the use of EAP-TLS as a security mechanism comes at a high administrative cost because each user is required to have a certificate, requiring a certificate authority for distributing, revoking and otherwise managing user access certificates.

In addition, users with multiple PCs are forced to either transfer a single personal certificate and private key to each machine, or acquire separate certificates for each machine. This places an unncessary burden on either the user or the administrator, or both.

Funk exlained that the EAP-TLS and EAP-TTLS mechanisms are similar, but that the use of TTLS would require only RADIUS servers to have certificates – not the users. Users are authenticated on a standard password-based credential, whose use is made proof against active and passive attack by enclosing it in the TLS security wrapper.

The company explained that the use of EAP-TTLS is somewhat similar to the mechanism used to secure credit card transactions online. Basically, the Web server proves authenticity to the user by presenting its certificate; the user can then encrypt credit card info to the server. The company highlighted the point that since online commmerce has never required the use of certificates to ensure security, neither should WLAN access.

As detailed in the IETF draft mentioned above, the EAP-TTLS method is a draft jointly supported by Funk Software and Certicom, and is a working document of the PPP Extensions group. The protocol is designed to allow user authentication onto WLANs with existing password credentials – while using strong public/private key crypto to protect against potential attacks against wireless communications.

Funk claims that EAP-TTLS is the equal of EAP-TLS in security, can be managed by a single user from any machine, and is compatible with existing authentication databases and infrastructure. The company regards Odyssey as an alternative to complex certificate infrastructures for WLAN security that puts such security within any organization’s reach because of reduced administrative burden.

Matthew Peretz is Managing Editor of 802.11-Planet.com

More information can be found at the Funk Software site. The product is in open beta and can be downloaded, with full release scheduled for February.

News Around the Web