802.11 WLAN protocol in Windows XP is not very secure, and you can't do anything. Fortunately, IEEE (and Microsoft, Cisco, and other industry-leading companies) have discovered 802.11 flaws; as a result, the IEEE 802.1x standard provides a much stronger set of identities for wireless local area networks (WLANs) and ordinary local area networks. Verification and security mechanisms. You can deploy 802.1x using a combination of Windows 2000 or Windows Server 2003 domain controllers and Windows XP clients. How 802.1x works
802.1x implements port-based access control. In a WLAN, a port is the connection between an access point (AP) and a workstation. There are two types of ports in 802.1x: uncontrolled and controlled. What you are using now is a non-control port: it allows devices to connect to ports and communicate with any other network device. Instead, the control port limits the network address that the connected device can communicate with. You may already be able to understand what's going on: 802.1x allows all clients to connect to the control port, but these ports only send traffic to the authentication server. After the client is authenticated, it is allowed to start using the non-control port. The mystery of 802.1x is that non-control and control ports are logical devices that coexist on the same physical network port.
For authentication, 802.1x further defines two roles for network devices: supplicant and authenticator. The applicant is a device that requests access to network resources (such as a laptop equipped with an 802.11b network card). A certifier is a device that authenticates an applicant and decides whether to grant access to the applicant. Wireless APs can act as authenticators; however, the industry-standard Remote Authentication Dial-In User Service (RADIUS) protocol is more flexible. This protocol is included in Windows 2000; through RADIUS, the AP receives the authentication request and forwards the request to the RADIUS server, which authenticates the user against Active Directory.
802.1x does not use Wired Equivalent Privacy (WEP) for authentication; instead, it uses the industry standard Extensible Authentication Protocol (EAP) or newer version. In either case, EAP/PEAP has its unique advantages: they allow for the choice of authentication methods. By default, 802.1x uses EAP-TLS (EAP-Transport Layer Security), where all EAP-protected traffic is encrypted by the TLS protocol (very similar to SSL). The whole process of authentication is this:
1. The wireless workstation attempts to connect to the AP through a non-control port. (Because the workstation is not authenticated at this time, it cannot use the control port). The AP sends a plain text challenge to the workstation.
2. In response, the workstation provides its own identification.
3.AP forwards identity information from the workstation to the RADIUS authenticator using a wired LAN.
4. The RADIUS server queries the specified account to determine what credentials are required (for example, you may configure your RADIUS server to accept only digital certificates). This information is converted into a credential request and returned to the workstation.
5. The workstation sends its credentials through the non-control port on the AP.
6. The RADIUS server authenticates the credentials; if it passes the authentication, it sends the authentication key to the AP. This key is encrypted so only the AP can decrypt it.
7.AP decrypts the key and uses it to create a new key for the workstation. This new key will be sent to the workstation, which is used to encrypt the workstation's primary global authentication key.
Periodically, the AP generates a new primary global authentication key and sends it to the client. This solves the problem of long-lived fixed keys in 802.11, and attackers can easily attack fixed keys through brute force attacks.
Configuring 802.1x on the client
Configuring the 802.1x client in Windows XP is very simple; here I will briefly introduce some basic steps.
1. Open the network connection folder, then right click on the connection you want to use 802.1x and select the property command.
2. Switch to the Wireless Network tab and select the WLAN connection you wish to use for 802.1x. Click the Configure button.
3. In the Wireless Network Properties dialog, switch to the Authentication tab.
4. Make sure the "Enable IEEE 802.1x authentication for this network" checkbox is selected and select the appropriate EAP type. Typically, enterprise networks will use EAP-TLS with smart cards or local storage certificates, and small networks can use PEAP (only if you have already installed Windows XP Service Pack 1).
Deploy 802.1x for small networks< Br> If you have a small network, then you might think that 802.1x is so esoteric. The good news is that even if you don't have a full public key infrastructure and don't need a lot of work, you can deploy 802.1x. This article describes the steps you need to complete. Simply put, you need to set up your Windows XP SP 1 or later client to use PEAP, and then set up at least one computer running Windows Internet Authentication Service (IAS), which will provide RADIUS connectivity. Each IAS service must have a digital certificate signed by you or purchased from a third-party certification authority (CA). There is so much you need to do --- of course, you need to install IAS first, but the process is simple.
Deploying 802.1x for Large Enterprises
If you use a Windows 2000 network with at least one domain controller, you can set up a more flexible 802.1x infrastructure to take advantage of Active Directory and Windows 2000 for remote access Support for strategy. The first is to get a digital certificate for your client. Fortunately, you can easily obtain these certificates by creating a group policy that automatically requests machine certificates for computers in the domain. After completing this step, you can deploy the rest of the required infrastructure (including IAS) and configure your wireless AP to use RADIUS to communicate with the IAS server. Then you can rest assured that your WLAN traffic has been securely protected.