Wi-Fi Security: Which Protocol Is Best For You?Wi-Fi Security: Which Protocol Is Best For You?

Microsoft Shops

If you work in a Microsoft-centric environment and you store your passwords in a Microsoft directory such as Windows NT Domains or Active Directory, then PEAPv0/EAP-MSCHAPv2 is the best solution.

A supplicant is found in current versions of Windows (as well as MAC OS X 10.3 and up!). Some kind of server certificate needs to be accepted or configured as trusted by the client, but if a third-party Certificate Authority (CA) such as VeriSign has signed it, nothing needs to be done on the client. If you plan on signing your own certificate, you'll need to distribute your organization's private CA's server certificate. Group policies make the control and deployment of wireless settings extremely easy.

Microsoft includes support for PEAPv0/EAP-MSCHAPv2 in its IAS (Internet Authentication Services), freely bundled with Windows 2003. That EAP type is also supported in Windows 2000's IAS server, but there are some limitations that might make implementation more challenging, if not impossible, depending on your environment.

EAP-TLS is supported, as well, through Microsoft's IAS and Certificate Server, but that EAP type requires client certificate distribution and management.

If the clients are part of the domain, you'll want to be sure that your RADIUS server can perform machine authentication, something that IAS, Cisco's Secure Access Control Server (ACS) and Funk Software's Steel-Belted RADIUS already support and that was very recently added to FreeRADIUS, an open-source solution.