Microsoft, Cisco prepare for PEAP show

Microsoft and Cisco this week are expected to detail how they will support an emerging IETF wireless security standard for authentication that could quash a competing standards effort.

Microsoft, Cisco and RSA Security developed Protected Extensible Authentication Protocol (PEAP) as a way to securely transport authentication data, including passwords, over 802.11 wireless networks by using tunneling between PEAP clients and an authentication server.

Like the competing standard Tunneled Transport Layer Security (TTLS), PEAP makes it possible to authenticate wireless LAN clients without requiring them to have certificates, simplifying the architecture of secure wireless LANs.

This week Cisco will detail how it will include PEAP in its wireless LAN products, which until now have supported a proprietary protocol called Lightweight Extensible Authentication Protocol (LEAP). Microsoft added PEAP support to Windows XP in a service pack released Sept. 7.

PEAP's progress casts a shadow over the TTLS effort, which also is on the IETF standards track. Funk Software and Certicom developed TTLS, predating PEAP. About three months ago, Funk deployed TTLS in its Odyssey wireless LAN authentication server and the client components for TTLS on the desktop.

"PEAP and TTLS are almost identical," says Joel Snyder, senior partner at consultancy OpusOne, a Network World Global Test Alliance partner. "It doesn't make sense to have both. It's like having two sizes of floppies."

"We don't need two standards," agrees Funk President Paul Funk, author of TTLS, who says that wireless LAN product providers Agere Systems, Proxim and Avaya are supporting Funk's work on TTLS at the IETF. Funk describes TTLS as a "superset" of PEAP.

The rivalry, some suggest, stems from both sides wanting to be considered as originators of what might become an important wireless LAN security protocol. The victors could set the course, while the losers will have to retool.

Inside look

TTLS and PEAP work within the framework of the broad-based IEEE 802.11 wireless LAN standard for authentication known as 802.1X. PEAP and TTLS each use Transport Layer Security - which is often described as a better Secure Sockets Layer - to set up an end-to-end tunnel to transfer the user's credentials, such as a password, without having to use a certificate on the client.

Together with the wired equivalent privacy (WEP) encryption standard, TTLS and PEAP authenticate end users and conceal the users' credentials.

But WEP has come under fire from a range of critics, and today there are many improved methods in the works, including WEP2 and Temporal Key Integrity Protocol (TKIP).

TTLS is better because it is flexible enough to support WEP2 and TKIP as they become available, Funk says. It could also accommodate Advanced Encryption Standard, which has been approved by the federal government as the replacement for Data Encryption Standard, and is viewed as suitable for use with wireless LANs. Funk says PEAP doesn't have this flexibility.

But with PEAP, Cisco gets what observers say is a better protocol than LEAP. And Cisco can count on Microsoft and others to get PEAP client code into laptops, handhelds and phones.

"Microsoft is organizing to be a serious player in wireless LAN access services with PEAP," says Jeff Recor, consultant at the Olympus Security Group, which partners with Cisco on security in wireless LANs. "Logically, Microsoft has the client and Cisco has the back end."

Microsoft has acknowledged that it intends to include PEAP as part of the Internet Authentication Service in the Windows.Net Server by year-end. And Microsoft plans to add PEAP to Windows 2000 for servers and desktops.

Recor says he can imagine PEAP going into Microsoft Active Directory, too. As a Cisco technical partner, he says he fully expects Cisco will add PEAP to the Cisco authentication server and its wireless access point but not phase out LEAP right away.

Corporations deploying wireless LANs are trying to get a handle on PEAP, which Cisco and Microsoft started discussing earlier this year.

One drawback is that Windows XP is currently the only operating system that supports PEAP, says Thomas Gaylord, vice president of IS at the University of Akron in Ohio, a Cisco wireless customer.

The university uses the Cisco Secure Access Control Server, a RADIUS server and VPN software running on each wireless client.

Some IT managers say they find little reason to rush into PEAP, and want to see it be further accepted in the standards process. "It's just a proposed standard," says Van Nguyen, director of global IT security at global shipping firm APL, which is organizing its wireless LAN security strategy for deploying wireless LANs in APL's warehouses. At this point, Nguyen is leaning away from 802.1X and toward a roamable VPN based on the ReefEdge appliance that provides VPN, firewall and authentication on wireless LANs.

Many Cisco customers say they haven't heard much about PEAP, but they hope it will bring some ability to break loose of Cisco's proprietary authentication protocol, LEAP.

"Use of LEAP has locked us into using only network interface cards made by Cisco," says Mark Wiesenberg, director of strategic architectures at Sharp HealthCare, a network of hospitals and clinics in San Diego. "This has seriously hampered our ability to move to new devices with built-in cards that don't have the ability to speak LEAP. This is particularly troublesome with handhelds and tablet devices."

With heavyweights Microsoft and Cisco backing PEAP, wireless LAN security vendors that have implemented TTLS are wondering what to do next.

"We're going to have to support both TTLS and PEAP," says Paul Goransson, president of Meetinghouse Communications, which competes with Funk in providing wireless LAN authentication servers and client software.

IBM, which resells Cisco's wireless LAN products, would prefer to support industry standards, whether PEAP or any other. "LEAP was the only thing available when Cisco's wireless LANs came out with a preindustry version of 802.1X," says Howard Dulany, market segment manager for wireless products in IBM's personal computer group.

It's important to straighten out the security issues related to wireless LANs because "the No. 1 inhibitor of wireless LAN deployment is security," Dulany says.

RELATED LINKS