AirPort Blog

If you've installed Panther and played around with the Internet Connect tool, you might have notice a new option in the File menu: New 802.1X Connection. 802.1X sounds like a lot of letters, but it's actually a very simple concept. The name comes from the IEEE engineering committee which developed it, and 802.1X is not the same as, say, 802.11X. The 802.1 working group is developing network standards for wired and wireless networks.

In 802.1X, the concept is that you have to log into a network, and until you do, the actual hardware device to which you're connecting -- whether it's a wireless base station or a wired Ethernet switch -- completely disables your connection's access to the rest of the network. When you login, you're connected just to the hub or base station, which passes on your login information to a server that has a database of users and their credentials (which can be password, digital certificates, or other methods of ensuring someone is who they say he or she is).

Once the user's credentials are confirmed, on a wireless network the base station hands the user's machine a unique encryption key, and rotates it on some frequency. The user is then free to access the rest of the network.

The 802.1X set of transactions means that you can have an entirely open base station to which anyone can connect -- because they can't sniff traffic or get beyond that point. The unique encryption key handed out in a successful 802.1X handshake means that each user on a network has a unique key, which prevents a sniffer from using social engineering (asking for the key) or other cracking techniques (which won't work against the new WPA standard, anyway).

Apple's 802.1X connection is far, far better than that found in Microsoft Windows XP. In Windows, the 802.1X connection can only work in two constrained ways. Under Mac OS X 10.3, however, you can use all of the industry's methods for 802.1X, which include a whole other set of abbreviations (EAP-TLS, EAP-TTLS, PEAP, etc.). This makes the Mac approach secure but more ecumenical than Microsoft's, but still totally compatible with Microsoft's. (For older Mac OS versions, you can buy an 802.1X client from Meetinghouse, which also sells servers.)

The missing piece in 802.1X for Mac users is a back-end authentication server which handles the user credentials. Panther Server ships with everything that a small or large office could need -- except the RADIUS (which doesn't stand for anything anymore) server which does the user management. Apple is well aware of this.

To use 802.1X on a network, you have to have a base station which supports it -- and most of the consumer ones, including the AirPort Extreme Base Station, have support for it -- and a back-end server. But you could also contract out that back-end user database server, and a few companies are starting to offer this, but not for the Mac yet.

With 802.1X, you can have a truly secure wireless network connection with no ongoing management except adding and deleting users. I'm looking forward to the day when this can all be handled on Macintoshes end to end, and I hope that day is not far off.