> I heard that if you use 802.1x users will need to enable that feature in their machines.
True, if you do not have a domain. They'll need to select either WPA or WPA2 in XP. Then they'll need to select TKIP or AES as the encryption type (windows no longer allows choosing WEP as the encryption type for 802.1x authentication), and on the Authentication tab select PEAP instead of Smart Card/Certificate if you'll be using name/password authentication via the IAS RADIUS server. In vista/win7 they need to connect manually the first time, selecting WPA-Enterprise or WPA2-Enterprise. Some 3rd party connection managers call the authentication type WPA-Enterprise/WPA2-Enterprise, and some designate that authentication type as 802.1x, which is the IEEE specification.
False, if you have a domain. When they join the domain you can push a group policy object that configures those settings, assuming they're using windows. There are packages that provide group policy type control over POSIX and Mac platforms, but I believe you have to install that program/control on those clients. That requires an initial connection to the domain to push the policy, though... but that doesn't need to be wireless - there could be a location where the new clients could plug in their laptops to join them to the domain (and install the domain control software on non-windows machines), then wireless via 802.1x could be user-setup free.
> However if you use web-based authentication they will not need to do any configuration.
> Is that true?
Well, they'll still need to open the View Available Wireless Networks dialog, select your network's SSID and click Connect... then click Yes/OK on the warning prompt that they're connecting to an unsecured network in XP. I have not connected to an unsecure connection with vista or win7, so I'm not sure what type of warning[s] those throw under that condition. But that warning might make some new users NOT connect when they should.
> Which solution would be more secure for the above requirement?
> 802.1x or web-based? or any mixture of both if possible?
Well, there is only 1 solution that meets your requirement (for non-domain members), and that's the web-based authentication. Technically, the web-based IS a mixture of both, since it would use the same IAS/RADIUS database that 802.1x does... it's just using a different interface to validate the user credentials.
The way it usually works is, you setup a proxy server, then have your DHCP server for the wireless give the proxy server's IP as their Gateway. As soon as they open a browser window they go straight to the proxy server, which then establishes an SSL (https) session for the login, and the login page is all that will display until the client's credentials are validated by the RADIUS server. Once they're validated, the proxy server lets them go to any (unblocked) address.
That's how ATT does it with their Wayport network that McDonalds, Starbucks, Barnes & Noble, et al (e.g. most airports with wireless) all use. BlueSocket employs the same method, but with proprietary hardware.
Typically you'll want your wireless AP/router to keep the wireless clients from seeing (and connecting-to) each other... then if you WANT them to see and talk to each other, allow it through the proxy, just not directly through the wireless station.
After authentication, SSL is usually up to the client... if they do not go to SSL web sites, there is no encryption to secure the data sent over the air (i.e. your data, if they're on your network... so, if it's for local access you should ensure the connection is served up via https just for the encryption).
