If I implement 802.1X on my Ethernet switch ports, do I still have to worry about rogue access points?

Rogue access points are like cockroaches; they're everywhere, they're impossible to get rid of, and once you declare war on them, you better be in it for the long haul. You can slice 'em and dice 'em and they just keep on coming. They are a cheaply-implemented problem with diverse, complex, and often expensive solutions. Administrators now have the tools to identify, locate, mitigate, and relocate (onto eBay of course) rogue access points of all kinds. "There must be a better way!" you exclaim. Sure there is, but it's not foolproof.

802.1X is a standard that addresses port-based authentication. If you have worked in the enterprise wireless market for a while, this standard is likely quite familiar to you - usually accompanied by EAP-something. 802.1X is the framework used by various types of Extensible Authentication Protocol (EAP) to control the process of a network user authenticating to a network infrastructure. Various 802.1X/EAP types are used in 802.11 WLANs due to their low overhead, ease of use, and support for data encryption. 802.1X is also used by Ethernet switches to authenticate wired station users, and in fact predated 802.1X use in wireless networks.

When rogue access points are connected to unsecured Ethernet ports, they have connectivity into the VLAN the port is assigned to. By using 802.1X to control use of the Ethernet port, any device connected to the port will have to successfully authenticate itself to a user database (like RADIUS) in order to bring the port into a forwarding state. Even if an intruder has an access point capable of performing such an authentication (which is especially uncommon in SOHO models), they will need legitimate credentials before such an authentication will be successful.

It's not as simple as that

At face value this solution seems foolproof, but there are other common problems with rogue APs. One such problem is a hijacking attack from a software-based rogue access point that isn't connected to your network infrastructure. This attack is against a mobile computer rather than against a network infrastructure. Also, intruders know that the chance of authorised access points being connected to an 802.1X-enabled port is slim, so they might try to replace one of your access points with a rogue if your authorised access point isn't physically secured.

While implementing 802.1X on your Ethernet infrastructure can be a great idea if you are willing to take on the administrative overhead, it can often cause problems with desktop operating systems. Ethernet frames do not support data encryption (802.1X is an authentication mechanism only), and a wireless intrusion prevention system (WIPS) is still necessary to identify, locate, and mitigate rogue APs.

Devin Akin is CTO of CWNP, the industry standard for wireless LAN training and certification, as well as an editorial board member of the WVE.