Using Third-Party 802 1X Clients in Windows

by [Published on 26 April 2011 / Last Updated on 26 April 2011]

Deploying 802.1X authentication for wireless and/or wired access on your network, means that your end-users must have an 802.1X client (or supplicant) installed on their computer or device. This article discusses different third-party supplicants/modules in case you're implementing less-common EAP types that Windows doesn't natively support.

Introduction

The client communicates with the RADIUS server (such as NPS or IAS on a Windows Server) through the access point or switch via one of several different EAP protocols. Since Windows 2000 SP4, Microsoft has included native supported for the EAP-TLSand Protected EAP (PEAP) protocols.

However, you might need to use the other EAP protocols (such as EAP-TTLS, EAP-FAST, or LEAP)if your access points, switches, or RADIUS server don’t support (or aren’t configured with) EAP-TLS or PEAP. In this case, you must install and use a third-party 802.1X client on Windows PCs. However, make sure your RADIUS server supports the given protocol too. Keep in mind; NPS and IAS on a Windows Server only support EAP-TLS and PEAP.

SecureW2 Enterprise Client

The SecureW2 Enterprise Client is a commercial supplicant by SecureW2 B.V.(a Dutch Corporation). It supports 32-bit and 64-bit PCs running Windows XP, Vista or 7, regardless of the service pack installed. Additionally, 32-bit and 64-bit systems running Windows Server 2003 and 2008 are supported. However, there is no support for Mac OS X or Linux.

SecureW2 also offers mobile client solutions, supporting Microsoft’s Pocket PC and Smartphone 2002/2003, Windows Mobile 2003/2003 SE, and Windows Mobile 5, 6, 6.1, and 6.5. Currently, the newer Windows Phone 7 platform is not supported.

The SecureW2 Enterprise Client GUI (see Figure 1) lets you configure the authentication settings for wired and wireless connections. It doesn’t disable the built-in wireless utility of Windows, like other supplicants do, so end-users can manage the other network connection settings with the familiar Windows interface.


Figure 1

The SecureW2 Enterprise Client supports the following EAP types:

  • EAP-PEAP
  • EAP-TTLS
  • EAP-GTC
  • EAP-SIM

The SecureW2 Enterprise Client offers other features in addition to the basic 802.1X client functionality. You can provision the authentication settings via XML, INF or INI for silent and non-silent installations. You can also create MSI packages containing both the settings and the certificates. You can lockdown the authentication settings to prevent end-users from changing settings. You can also have thewireless interface automaticallydisabled when a wired connection is established.

Cisco Secure Services Client

If you’re a Cisco shop, you might consider using the Cisco Secure Services Client. Currently, the 32-bit editions of Windows 2000, Windows 2003 Server Enterprise Edition, and XP Professional are supported and the 32-bit and 64-bit editions of Windows Vista Business, Enterprise and Ultimate as well.

Keep in mind, Cisco also providesmodules for adding EAP-LEAP and EAP-FAST support to the native wireless interface of Windows Vista and 7, which we’ll discuss in the next section.

Cisco offers a wired-only license for the Cisco Secure Services Clientwith a limited feature set for free and a 90-day full wired/wireless trial license. Beyond that you’ll have to purchase a license, starting at $60 for up to 250 seats.

The Cisco Secure Services Client offers a GUI application (see Figure 2), and is actually a rebranded and updated version of Meetinghouse's old AEGIS SecureConnect software application. The following EAP types are supported:

  • EAP-PEAP
  • EAP-FAST
  • EAP-LEAP
  • EAP-TLS (Windows 2000/XP only)
  • EAP-TTLS (Windows 2000/XP only)
  • EAP-MD5 (Windows 2000/XP only)
  • EAP-GTC (Windows 2000/XP only)


Figure 2

The Cisco Secure Services Client also has an integrated automatic VPN connection feature that can be used when the Cisco IPSec VPN client is installed to minimize user intervention when establishing a VPN connection. Plus it features XML-based provisioning of authentication details and has the ability to prevent configuration changes by end-users.

Cisco EAP-LEAP and EAP-FAST Modules

If your desired protocols are EAP-LEAP or EAP-FAST and end-users are using Windows Vista or 7 (32-bit or 64-bit), you might consider using Cisco’s free modules to add support to the native Windows interface. Instead of having to use a third-party program (like the Cisco Secure Services Client), you’d configure the settings via the Network Properties in Windows, such as Figure 3 shows.


Figure 3

However, it can be tricky to get the EAP-LEAP and EAP-FAST modules installed. Sometimes Windows Update will automatically download and install the modules, where they’ll automatically appear as an authentication method on the Network Properties dialog. Other times it might take a Registry modification, such as described on this blog by the eapteam or download the ECPNodefrom the Microsoft Update Catalog.

XSupplicant by Open1X

XSupplicant is a free open source project maintained by Open1X and backed by OpenSEA. Unfortunately, only Windows XP (32-bit) and Linux (32 and 64 bit) are officially supported currently. Support for Windows Vista and Windows 7 (32 and 64 bit) is in the works.

XSupplicantoffers a GUI application (see Figure 4) for managing your Wi-Fi interface in addition to the 802.1X authentication for wireless and wired connections. It also includes a logging feature and lets you set advanced authentication settings and timers. The advantage of using this supplicant is the wide range of EAP types supported:

  • EAP-PEAP
  • EAP-FAST
  • EAP-LEAP
  • EAP-TLS
  • EAP-TTLS
  • EAP-MSCHAPv2
  • EAP-MD5
  • EAP-AKA
  • EAP-GTC
  • EAP-OTP
  • EAP-SIM
  • EAP-TNC


Figure 4

WPA_Supplicant

The wpa_supplicant is another free open source project supporting wireless and wired connections.This client runs on Windows2000 and XP, Mac OS X, Linux, and BSD. Though it doesn’t support Windows Vista or later, it does give you uniformity of configuration across a variety of other OSs and wireless drivers.It includes a text-based frontend (wpa_cli) along with a GUI (wpa_gui), as Figure 5 shows.


Figure 5

The wpa_supplicant supports a long list of EAP types:

  • EAP-PEAP
  • EAP-FAST
  • EAP-LEAP
  • EAP-TLS
  • EAP-TTLS
  • EAP-MSCHAPv2
  • EAP-MD5
  • EAP-AKA
  • EAP-GTC
  • EAP-OTP
  • EAP-SIM
  • EAP-TNC
  • EAP-GPSK
  • EAP-IKEv2
  • EAP-PAX
  • EAP-SAKE

Summary

We discussed a couple different third-party supplicants/modules in case you’re implementing less-common EAP types that Windows doesn’t natively support.

If you prefer EAP-TTLS, the SecureW2 Enterprise Client is likely your best bet if end-users have newer systems. If you desire EAP-FAST or EAP-LEAP, you might try installing the EAP-FAST module on newer systems and the Cisco Secure Services Client on older ones. If you’re looking for a cross-platform solution, consider WPA_Supplicant. Keep an eye on XSupplicantfor the update adding support for Windows Vistaand 7.

Featured Links