Businesses should use the Enterprise mode of Wi-Fi Protected Access (WPA or WPA2) encryption for their wireless connectivity, instead of the Personal or Pre-Shared Key (PSK) mode. The Enterprise mode uses 802.1X authentication. Wi-Fi users can log into the wireless network with usernames and passwords (or client certificates) instead of long static encryption keys.
The Enterprise mode offers more access control and provides better overall security. However, the downside is that it is much harder to configure. The administrator must set up a RADIUS server and configure the wireless controller and/or access points (APs) with the 802.1X authentication settings. Then end-users must configure their computer with the authentication settings -- this is where Quick1X comes in.
Administrators running a domain network with Active Directory can push wireless profiles (including 802.1X settings) with Group Policy to computers. However, this doesn't help if they aren't running a Windows Server, have Macs or Linux machines, or end-users are using their own computers and devices. For these instances, administrators can use a third-party solution to distribute and auto-configure the encryption and authentication settings -- Quick1X is one of these solutions.
What is Quick1X?
Quick1X is a solution offered by Avenda Systems. The company promises a simple and painless process of configuring end-user computers and iPhones for 802.1X authentication, for wireless and/or wired connectivity. It can also distribute encryption keys for the Personal (PSK) mode. As an added bonus, Quick1X integrates with Network Access Protection (NAP) functionality, a separate product called eTIPS. This way you can also ensure end-users meet certain health and security requirements before connecting.
Quick1X can work with the following supplicants or 802.1X clients:
- Windows native supplicant (XP SP3, Vista, Windows 7) with NAP support
- Linux WPA supplicant (currently in beta)
- Macintosh native supplicant (10.5, 10.6)
- iPhone 3.0+ native supplicant
- Cisco Secure Services Client
Quick1X supports the following EAP methods, but varies among the supplicant/OS:
- EAP-TLS (at this time, Quick1X doesn't help distribute client certificates)
The heart of Quick1X is the hosted website where administrators can input network settings and preferences, generate the client installation wizard, and download the deployment package. Administrators can include public or private Certificate Authority (CA) certificates within the wizard. They can also customize the user interface and even include third-party applications to be installed on end-user computers.
Administrators can upload the deployment package to a website. Administrators can simply tell end-users the URL or implement a separate captive portal solution on the network that stops unconfigured end-users and lets them download the configuration wizard. Administrators can also distribute the configuration wizard via other media, like on CDs or USB drives.
Once an end-user runs the configuration wizard, it asks for a few basic items and then automatically configures the computer or device with the settings specified by the administrators on the Quick1X site.
Configuring the network details
For a thorough review, I wanted to test the Quick1X product here in the office. I started by logging into the Quick1X Portal. The first page lists the networks. You can create multiple network profiles, each with their own settings.
As I later found out, all the networks will be on the single configuration wizard, where the end user can select the desired network. Depending upon your situation, this may be useful or just another setting end users will have to worry about. It would be nice to have an option to create wizards for individual networks too.
When you create a network you'll see the settings organized by the operating system (OS), such as Figure 1 shows. Before you input the network details, you should upload your Certificate Authority (CA) certificate and upload any applications you want to include with the wizard.
A quick note about uploading the CA certificate: Quick1X doesn't let you choose from the common CAs. If your RADIUS server's certificate was issued from a CA like Verisign or GoDaddy, you'll have to get their public certificate elsewhere and manually upload it. It would be nice if they let you choose from the popular CAs. However, if you self-signed your certificate, you'd have to manually upload anyway.
Most OSs have Common settings. For Windows, such as Figure 2 shows, you can choose the supplicant, enable NAP services, and select applications to include. If you know the credentials of a Windows Administrator account on the end-user computers, you can input them here in case the end-user doesn't have admin privileges.
All OSs have Wireless settings, such as Figure 3 shows. You can input the SSID and other general networking details. This is also where you input the 802.1X authentication settings for Wi-Fi connections.
The Windows OSs also include Wired settings, such as Figure 4 shows, which include the general network and 802.1X settings.
To customize the configuration wizard, you can go to the User Interface. There you can input a title for the wizard, company name to display, and logo to display. Plus you can input a Reset Password URL and Help Desk Contact URL, which are given to the end-users when they run into problems.
Throughout the configuration process, I noticed there are no on-screen tips or links to documentation. Some settings need to be explained. Avenda does have a Jumpstart Guide, but even it could be improved with more details on the settings.
Additionally, the navigation of the portal could be improved to highlight that the Applications, Certificates, and User Interface settings are global and apply to all networks.