Gateway's 7000 service access points include all the security and authentication that an office of 5 to 25 users need: Gateway released its two 7000 series models a few months ago and have received very little press. The unit comes in 802.11g ($299) and 802.11a/g ($399) configurations. It sports support for all the popular standards, including 802.1X passthrough, WPA-PSK, WDS (Wireless Distribution System), and others.
It even includes two separate wide-area-networking (WAN) interfaces: if you have a separately segmented guest wired network, you can physically connect the device through the guest interface to your public WAN and the private interface to your private WAN. The device can segregate all wireless traffic. It can also do this using Virtual LAN (VLAN) tagging by providing multiple SSIDs that are logically separate for guest and authorized user: the traffic is routed by your VLAN switch or system.
But the real winning feature in this unit is its built-in RADIUS server that supports both WEP and WPA over 802.1X using PEAP (Protected EAP). Because Windows XP and Mac OS X 10.3 both include PEAP, and it's possible to use PEAP affordably on other platforms including Linux and Solaris, PEAP is currently the broadest standard to support. Effectively, using a $299 or $399 device, you can have enterprise-level security without a separate RADIUS server or the administrative overhead. But it only supports a handful of users.
I was interested immediately in this built-in server aspect, and received a review unit some time ago, but was unable to get past some initial confusion in configuration. I started from scratch today, using the factory defaults reset button, and had no problems whatsoever with the same instructions, software, and firmware, so let's attribute my earlier issues to user error.
The device is extremely easy to configure. I followed the directions and powered up the unit, plugging my wired LAN into the LAN1 port. I ran the auto-configuration software that finds the access point. It assumes that you have a DHCP server running and this software handles the discovery of the 7000 series IP address. You click a link in the software to open a browser and enter the default passwords to connect.
Once connected, there's very little to configure for an ordinary network. I went to the User Management section and created an account for myself. I then clicked on the Security tab under the Advanced section and selected WPA with RADIUS from the Security Mode menu. By default, the settings are for TKIP as a cipher suite and Built-in as the Authentication Server. However, you can set it to AES (CCMP) and an external RADIUS server here as well. (The IEEE 802.1X option in security mode is really 802.1X plus WEP instead of 802.1X plus WPA.)
For a lower-bar, the device can handle non-WPA 802.1X clients if you check a box. This allows WEP to be used for those clients, but this compromises the security of that session, of course.
Once I clicked update, I switched to my Mac running OS X 10.3.4, which includes robust EAP type support. I ran Internet Connect, selected a new 802.1X connection, confirmed in settings that it would only accept PEAP, EAP-TTLS, and LEAP, and click Connect. I was asked to accept a certificate from Instant802 Networks. I did, and the device immediately authenticated via PEAP.
I switched to Windows XP, expecting a potentially more complicated process--I wasn't disappointed. I chose View Available Wireless Networks from the System Tray's icon for my wireless adapter. When I selected my Gateway network in the menu, it grayed out the Network Key options and left Enable IEEE 802.1X Authentication for This Network checked. I clicked Connect. Nothing happened.
I chose View Available Wireless Networks again, and click the Advanced button. I selected the Gateway network from the lower half of the screen under Preferred Networks and clicked Properties. I was now able to click the Authentication tab in the Properties dialog box and choose Protected EAP (PEAP) from the EAP type menu. If my Gateway user name and password had been the same as my Windows logon, I could have avoided a later step.
I clicked the Properties button beneath the EAP type menu. At the top of the screen, I uncheck Validate Server Certificate -- this step is critical because the certificate used in the PEAP transaction is unsigned as you are out of band when you make the connection.
At the bottom of the Protected EAP Properties dialog box, I selected the Configure button next to the Select Authentication Method popup menu (which was preset to the correct value: EAP-MSCHAP v2, which Gateway's devices support). I unchecked Automatically Use My Windows Logon Name and Password in the dialog box that appears, and click OK, OK, OK, OK. (A colleague calls this the Joe Pesci maneuver.)
After a few moments, a popup balloon appeared above the wireless icon in the System Tray reading, "Click here to select a certificate or other credentials for connection to the network Gateway Greenwood." I clicked and was presented with an Enter Credentials dialog box. I entered my user name and password, but no domain as my Windows network does not have one.
The first time through, I had difficulties because I'd failed to uncheck Validate Server Certificate. After some excellent feedback from the folks at Instant802 Networks, I was able to connect and authentication jst fine.
I highly recommend the Gateway 7000 series. Any small office hoping to avoid security woes and wanting to bypass the issues of using a single, preshared WPA key can spend a very small amount of money for robust piece of mind.