Funk readies wireless LAN security package

CAMBRIDGE, MASS. - Funk Software this week will unveil Odyssey, a wireless LAN authentication server that can be used with a variety of vendors' 802.11 wireless products to ensure that users properly authenticate their identities before being granted access to network services.

Odyssey Version 1.0, which costs $2,500, is a package that includes client authentication software for Windows-based PCs or laptops running XP, 2000, 98 or Millennium Edition, and a second component, the Odyssey Server, that runs on Win 2000 or XP.

The Odyssey server, typically housed on an Ethernet LAN, compels each user with a wireless device to prove identity through a password or other means defined by the challenge-response mechanism in the IEEE security standard 802.1X.

"The IEEE 802.1X standard from last spring introduced requirements for mutual authentication between the client and server for 802.11 a, b, and g," says Joe Ryan, vice president at Funk. "The wireless LAN adapter cards out there had to be updated for it, and many of the major vendors have now done that, such as Avaya, Cisco, Agere and 3Com."

A change of scenery

Funk, which for a decade has marketed its Steel-Belted Radius line of authentication servers for large companies and ISPs, decided the time was ripe to introduce its first wireless LAN authentication server aimed at small to midsize organizations putting in wireless LANs.

Like the other Funk authentication servers, Odyssey takes advantage of the Remote Authentication Dial-In User Service authentication protocol for transferring authentication requests between other back-end servers, such as those used for hardware-based token authentication, where specialized servers perform a user look-up and approval process and transfer the authentication information back through RADIUS.

The competition

Funk's Odyssey competes against Cisco's Secure Access Control Server, except that Cisco supports proprietary extensions to the Extensible Authentication Protocol (Cisco calls it Lightweight EAP), which results in the Cisco ACS only working with the Cisco wireless LAN equipment.

EAP is an IETF protocol defined in RFC 2284 that defines multiple authentication methods such as passwords, tokens, Kerberos and digital certifications. Other wireless LAN vendors also have variations on EAP. Cognizant of that, Funk is carving out a role for Odyssey by supporting authentication in a range of vendor wireless LANs and 802.11 client software.

"To begin with, Microsoft only supports 802.1X EAP in XP and you have to use Microsoft digital certificates for authentication," Ryan says. Some organizations might prefer passwords to certificates. And they also might want to extend wireless LAN authentication to users of older versions of Windows without 802.1X embedded in the software. For that reason, Funk is offering 802.1X client software, which doesn't require certificates, for XP, Win 2000, 98, Millennium Edition, and later in the year, CE.

No certificates

"We didn't want to go the certificate route," says Michael Franklin, network manager at Colby-Sawyer College in New London, N.H., which has been a beta-version customer for Odyssey for use with Enterasys Networks and Cisco wireless LANs on its campus.

"And I have multiple vendor wireless LAN access points, so I can't really use a proprietary approach," he adds.

Passwords grant a "reasonable level of security," says Franklin, noting Colby-Sawyer College will stick with one authentication type to start. Wireless LANs are "terrifying," Franklin says, "because they open new vulnerabilities that you have to address," such as the prospect of intruders joining a LAN without authorization and gaining access to the internal network if you don't authenticate them.

Funk is expected to add 802.1X security authentication support to its Steel-Belted Radius server line by June.