Wi-Fi security still faces standards war
Microsoft and Cisco are falling out.
By Ellen Messmer, Network World | Network World US | Published: 00:00, 29 March 2004
Even if the 802.11i security extension to the 802.11 wireless set of standards turns out well this year, there are other simmering WLAN security issues that show no signs of cooling down.
Over a year ago Cisco and Microsoft teamed up on a client/server-based authentication protocol called PEAP. The goal was to include PEAP in WLAN gear as well as client software, authentication servers and online directories where an end-to-end authentication protocol was needed to approve user access to a WLAN. Microsoft and Cisco submitted the work done on PEAP to the Internet Engineering Task Force, hoping it would become a standard.
However, Cisco and Microsoft are now sharply split on what PEAP is supposed to be, with each supporting separate versions but confusing customers by still calling their own implementations PEAP.
"There are two flavours since Cisco and Microsoft PEAP haven't come together," says Kevin Walsh, director of product management at Funk Software, which has endeavoured to support multiple WLAN security methods in its client/server authentication products. "The Cisco [PEAP] client can't be authenticated by the Microsoft server and vice versa."
"PEAP: when it first came out, everyone said 'This is it!'" Cisco's Bollinger says. "PEAP was defined in a fairly flexible way. It works much like your browser when you go to a Web page. PEAP uses Secure Sockets Layer under the covers, and you can encrypt from the client to the server and then authenticate."
But the flexibility in the model allowed for variants that have split Cisco and Microsoft. Microsoft has supported its version of PEAP in Windows XP, Windows 2003 and Active Directory in a way that Cisco terms a "lock-in."
"It works great for Active Directory and NT domains, but doesn't work with [Lightweight Directory Access Protocol], Novell Directory, SecurID or one-time passwords," Bollinger says. "It works great for Microsoft databases and nothing else."
Cisco's version is broader, according to Bollinger. With its Microsoft alliance foundering, Cisco has turned to Funk, Intel, MeetingHouse Communications and others to ensure its version of PEAP is supported in client software. Cisco also still supports an older proprietary protocol, Lightweight Extensible Authentication Protocol, specific to its own WAP and authentication server.
Microsoft declined to provide a spokesman on the issue of PEAP, but did answer questions via e-mail.
"Both companies support PEAP, but each with different methods of authentication," Microsoft wrote. "In comparing Microsoft's version and Cisco's version, we believe our implementation offers several important advantages." Among these would be a feature Microsoft calls "fast reconnect", supposedly a speedier method of authentication.
Microsoft's e-mail also said: "The Cisco approach is not an open standard and is available only from Cisco partners, potentially limiting future network infrastructure choices and potentially leading to higher long-term deployment costs."
Meanwhile, both versions of PEAP languish in the IETF without making any progress as a common standard.