Healthy Paranoia Show 7: 802.1X; the Good, the Bad and the Ugly

Just when you thought the Winter Solstice, Hanukkah, Kwanzaa or Christmas couldn’t get any better, Healthy Paranoia’s Mrs. Y rustles up some wireless experts for an episode on 802.1X!

Joining the Packetpushers Posse:

As usual, you’ll hear Greg Ferro prancing with unicorns, mocking storage protocols and ranting about Windows XP.

Show Notes:

From the 802.1X IEEE standard,

This standard specifies the use of EAP, the Extensible Authentication Protocol (IETF RFC 3748), to support authentication using a centrally administered Authentication Server and defines EAP encapsulation over LANs (EAPOL, Clause 11) to convey the necessary exchanges between peer PAEs (Port Access Entity) attached to a LAN. 

From EAP RFC 3748,

Extensible Authentication Protocol, an authentication framework which supports multiple authentication methods.  EAP typically runs directly over data link layers such asPoint-to-Point Protocol (PPP) or IEEE 802, without requiring IP.  EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees. EAP encapsulation on IEEE 802 wired media is described in [IEEE-802.1X], and encapsulation on IEEE wireless LANs in [IEEE-802.11i].

Additional EAP RFCs include 3580 (RADIUS) , 4017 and 5931 . Also a nifty EAP cheat sheet from’s Jeremy Stretch.

Mrs. Y
Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.
Mrs. Y
Mrs. Y
  • Chris Lyttle

    I disagree that you need an MDM to manage certificates and configurations on Mac OS X. There are many solutions out there that support Macs and some that even can integrate Macs into Active Directory. Centrify even lets you push GPO policies to Macs! The cheapest option is to just use OS X server to manage certificates, but there are other solutions that give you an onboarding process that will automatically configure both the client and certificates on the client for wireless. This is an urban legend that Macs are difficult to get certificates onto!

    • Mrs. Y.

      How about a blog post then?

      • Gregor Vučajnk

        I second the about the blog post. Great subject.

  • Sam

    I liked Mr. Gast’s latest book “802.11n A Survival
    Guide”, one of the few technical books I read cover to cover!

    Mrs. Y, you missed your calling, you should have been a
    writer for TV show openings…

    There is a lot more to EAP then I knew…

    I know how to secure computer, just unplug everything :), no network connections period :).

  • Michael Gonnason

    I dunno if it is the compression, or the mic quality but Mrs Y audio seems to be strained. It has been something I noticed since the first show, which has entertaining and educational.

    • Michael Gonnason

      Hmm, I noticed Greg sounds different from the main podcast; maybe there is a difference in the audio workflows for the shows?

      • Etherealmind

        I _think_ it’s Skype. I’m connecting from UK and this causes some audio changes. Otherwise, I’m the person recording and my audio is different because it’s recorded locally. It varies.

        • Mrs. Y.

          Ah, the joys of recording via Skype ;-). Problem seems to be when leveling, then compressing. My mic quality is good, but after leveling and compressing so that everyone is of equal sound quality, then converting to MP3, it’s degraded.I even bump my gain slightly. Still experimenting with different methods.