Use third-party 802 1X client in Windows

Network administration - Deploying using 802.1X authentication for wireless or wired access in the network means that users must install the 802.1X client on their computer or device . In this article we will show you some third-party modules in case you implement a less-used EAP type that Windows itself does not support.

The client communicates with the RADIUS server (such as NPS or IAS on Windows Server) via the access point or switch by several different EAP protocols. From Windows 2000 SP4, Microsoft has support for EAP-TLS and Protected EAP (PEAP) protocols.

However, it is possible that you need to use other EAP protocols (such as EAP-TTLS, EAP-FAST or LEAP) if your access points, switches or RADIUS servers do not support Support (or not configured) EAP-TLS or PEAP. In this case, you must install and use another company's 802.1X client on Windows computers. However, we need to make sure the RADIUS server also supports that protocol. Note; NPS and IAS on Windows Server only support EAP-TLS and PEAP.

SecureW2 Enterprise Client

SecureW2 Enterprise Client is a commercial product of SecureW2 BV (a Dutch company). It supports 32-bit and 64-bit computers running Windows XP, Windows Vista and Windows 7, whatever service packages are installed. In addition, 32-bit and 64-bit systems running Windows Server 2003 and 2008 are also supported. However, you should note that the product does not support Mac OS X or Linux.

SecureW2 also offers mobile client solutions, support for Microsoft Pocket PCs and Smartphone 2002/2003, Windows Mobile 2003/2003 SE and Windows Mobile 5, 6, 6.1, 6.5. Currently, the new Windows Phone 7 platform is not yet supported.

The interface of the SecureW2 Enterprise Client (Figure 1) allows you to configure authentication settings for wired and wireless connections. It does not disable Windows' built-in wireless utility, so users can manage other network connection settings with the Windows-friendly interface.

Figure 1

SecureW2 Enterprise Client supports the following EAP types:

1. EAP-PEAP
2. EAP-TTLS
3. EAP-GTC
4. EAP-SIM

SecureW2 Enterprise Client offers many other features than the basic features of an 802.1X client. You can provide authentication settings via XML, INF or INI for settings. You can also create MSI packages that contain settings and certificates. Authentication settings can be blocked to prevent users from changing them. The wireless interface can be automatically disabled when a wired connection is established.

Cisco Secure Services Client

If you're looking for a Cisco product, the one I want to show you is the Cisco Secure Services Client. Currently 32-bit versions of Windows 2000, Windows 2003 Server Enterprise Edition and XP Professional are supported, and there are also 32-bit and 64-bit versions of Windows Vista Business, Enterprise and Ultimate. support.

Remember, Cisco also provides many modules for adding EAP-LEAP and EAP-FAST support to the wireless interface of Windows Vista and Windows 7, which is the module that we will cover in the next section.

The Cisco Secure Services Client has only a limited set of features for free and trial subscriptions. For more important features, you need to buy a subscription, the price offered starts at $ 60 for 250 machines.

Cisco Secure Services Client has a user interface (Figure 2) and is an upgraded version from Meetinghouse's old AEGIS SecureConnect software application. The supported EAP types are listed below:

1. EAP-PEAP
2. EAP-FAST
3. EAP-LEAP
4. EAP-TLS (Windows 2000 / XP only)
5. EAP-TTLS (Windows 2000 / XP only)
6. EAP-MD5 (Windows 2000 / XP only)
7. EAP-GTC (Windows 2000 / XP only)

Figure 2

The Cisco Secure Services Client also has an automatic VPN connection feature, which can be used when Cisco IPSec VPN client is installed to minimize user intervention when establishing a VPN connection. In addition, it also has the ability to prevent users from arbitrarily changing the configuration.

EAP-LEAP and EAP-FAST modules

If you want to use EAP-LEAP or EAP-FAST protocols and users are using Windows Vista or Windows 7 (32-bit or 64-bit), you can use Cisco free modules to support Added for Windows interface. Instead of using a third-party program (like the Cisco Secure Services Client), you need to configure the settings via Network Properties in Windows, as shown in Figure 3 below.

Figure 3

However, we still need some tricks to install EAP-LEAP and EAP-FAST modules. Sometimes Windows Update automatically downloads and installs these modules, and they will appear to appear as an authentication method on the Network Properties dialog box. Or sometimes we have to change the Registry to do this.

Xsupplicant of Open1X

Xsupplicant is a free open source project of Open1X and previously OpenSEA. However, only Windows XP (32-bit) and Linux (32 and 64 bit) versions are officially supported. Support for Windows Vista and Windows 7 (32 and 64 bit) is currently under study.

Xsupplicant provides a GUI application (see Figure 4) for managing Wi-Fi interfaces with additional 802.1X authentication for wireless and wired connections. It also has a logging feature and allows setting advanced authentication settings as well as timers. The advantage of using this method is that you have a wide range of supported EAP types:

1. EAP-PEAP
2. EAP-FAST
3. EAP-LEAP
4. EAP-TLS
5. EAP-TTLS
6. EAP-MSCHAPv2
7. EAP-MD5
8. EAP-AKA
9. EAP-GTC
10. EAP-OTP
11. EAP-SIM
12. EAP-TNC

Figure 4

WPA_Supplicant

Wpa_supplicant is an open source project that, on the other hand, supports wireless and wired connections. This client can run on Windows2000 and XP, Mac OS X, Linux and BSD. Although it does not support Windows Vista and later versions, this client gives you the same configuration in a variety of other wireless operating systems and drivers. It has a GUI interface (wpa_gui) as shown in Figure 5 below.

Figure 5

Wpa_supplicant supports a series of EAP types below:

1. EAP-PEAP
2. EAP-FAST
3. EAP-LEAP
4. EAP-TLS
5. EAP-TTLS
6. EAP-MSCHAPv2
7. EAP-MD5
8. EAP-AKA
9. EAP-GTC
10. EAP-OTP
11. EAP-SIM
12. EAP-TNC
13. EAP-GPSK
14. EAP-IKEv2
15. EAP-PAX
16. EAP-SAKE