802.1X has been around for 9 years now yet it remains sparingly deployed in the wired network. Despite its poor market penetration on the wired network thus far, I believe 802.1X is nearing a time of wide spread deployment. Here are two top level reasons why its way to early to give up on 802.1X, and why I think it will flourish.
1. Organizations genuinely need it
The enterprise wired LAN is arguably the least secure access medium in the enterprise. VPN and WLAN have methods for authenticating users and encrypting traffic, but the wired LAN remains largely open. In addition, internal and external auditors are getting increasingly hip to asking questions like “how do you know what’s plugged into your network?” and “what happens when I leave this hub connected in this conference room?”. Those questions are effectively answered by deploying 802.1X even if its only used for MAC authentication of enterprise assets.
Many large organizations have known they need 802.1X for years, but have been waiting for vendors to provide a more mature system. This leads me to reason number two.
2. Vendors still want to sell it
Despite the fact that 802.1X itself is quite simple, there are numerous areas of complexity in 802.1X deployments that provide opportunities for companies to differentiate themselves. The more these features can be built into other products like switches and servers well, you know the deal...
802.1X also uniquely creates ‘stickiness’ with other components of the IT system and allows vendors to position our beloved ‘solutions’ instead of ‘products’. Here are a few quick examples:
- Having a supplicant (client) that is tightly integrated with the authentication server and provides extensions such as NAC attributes
- Guest Access products that allow guest/contractor provisioning as well as device provisioning that can also be integrated with the switches and/or authentication server
- RADIUS accounting information that can provide a more robust troubleshooting and administrative system by providing detailed information from switches and RADIUS servers and be aggregated and summarized in a SIM product
Whichever vendor is the first to deliver a comprehensive 802.1X solution inclusive of 802.1X supplicant, switches capable of authenticating EAP and non-EAP endpoints, AAA, and management/administration is going to win big; not just with client software, RADIUS and management servers, but with large network upgrades. The major vendors have all made 802.1X-centric acquisitions 802.1X including Cisco (Meetinghouse), Juniper (Funk Software), and Symantec (Sygate) and they’ve all completed the first phases of integration between these components and other peripheral systems or associated products. It will be fascinating to see how they all fare in the next 12-24 months.
Subscribe