Vendors will tell you that upgrading from the interim security standard Wi-Fi Protected Access to the fully baked 802.11i protocol will be fairly simple, straightforward and worth the effort. But analysts and end users warn that there are lots of wrinkles to an 802.11i upgrade, including the fact that you might have to buy new hardware. After analysing costs and other issues, some users have decided that WPA is good enough for now.

For the details of how 802.11i works, read our Wireless LAN security glossary, as well as our features on 802.11i, the steps to get there, and the issue of WLAN security.

At the very least, moving to 802.11i means managing firmware upgrades on both access points and clients. That's if you have relatively new hardware. If not, you'll have to swap out your old gear for new access points that can handle Advanced Encryption Standard (AES) encryption (read our explanation or AES and other encryption).

Plus, you'll need to install authentication servers and certificate-authority servers (if you don't already have one in place), and add a whole new protocol to the networks. That's because 802.11i manages the encryption part of wireless LAN security, but you also need authentication, which means implementing 802.1X, another relatively new protocol (read our coverage of 802.1X and authentication protocols).

"Anyone who tells you it's simple is not telling you the straight story," says Kenneth Dulaney, an analyst at Gartner. "You're adding two encryption methods and one authentication scheme. That's not simple."

WPA uses temporal key integration protocol (TKIP) encryption, while 802.11i uses AES. Because WPA is a subset of the fuller-featured 802.11i, WPA-enabled access points usually can support both encryption methods (WPA was set up by the Wi-Fi Alliance as a stepping stone to 802.11i).

"If you have first-generation access points, you've just inherited a doorstop," says Michael Disabato, networking service director at Burton Group. "That's not the worst thing in the world because there are numerous reasons you want the older stuff to go away if you can afford it. The receivers are better, they have better range. Lots of reasons."

Look before you LEAP
Interoperability is a potential land mine for users. Dulaney says that while 802.11i encryption protocols are fairly standard, the authentication methods in 802.1X aren't. "The 802.1X spec is not hard and fast, there are interpretations to be made," he says, which means each vendor's version could be slightly different from every other's.

Most vendors use the Extensible Authentication Protocol (EAP) to communicate port-access requests between the client and the access point. But EAP packets only carry the requests; the protocol doesn't include descriptions of how to manage the authentication itself. For that, you have to pick one of several EAP implementations, including Transport Layer Security (EAP-TLS) or EAP Tunneled Transport Layer Security (EAP-TTLS), any of which are acceptable under the 802.1X framework, but not all of which are interoperable (read our explanation of EAP types).
.

Cisco developed Lightweight Extensible Authentication Protocol (LEAP). But testers showed that LEAP could be cracked by a simple dictionary attack, so Cisco is replacing it with a new EAP-FAST (Flexible Authentication via Secure Tunneling).

Yet another twist comes from Microsoft, which developed a Protected EAP (PEAP) with help from Cisco and RSA Security. Unlike EAP-FAST, in which both client and server are issued keys before any communication takes place, PEAP relies on certificates that have to be generated by an authentication server. Microsoft ships PEAP in some versions of Windows XP, providing certificates using its Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) or Cisco's Generic Token Card certificate.

Almost any kind of certificate is allowed under 802.1X as is any authentication protocol, according to Shripati Acharya, director of product management in the wireless networking business unit at Cisco.

The bottom line, according to Dulaney: "Even if you do see 802.11i certification on a product, you probably won't be able to make every product work with every other product. You have to ask vendors what products they're certified for."

Certificates may be a worry
Finally, many end users shy away from using certificate-based systems of any kind, says Jeff Keenan, a principal at integrator Keenan Systems in Hartford, Connecticut. It's just too complicated to have a certificate server authenticated by an external authority so it can issue certificates, then keep the certificates on servers and mobile clients fully synchronized.

"I only work with two or three companies that have certificates, and at least one has a whole department to manage it. Other companies use RSA, hard tokens or other ways to get around issuing certificates," he says. "It's a big headache even once it's running."

Regulations could push you to 802.11i
But IT and security professionals realise that they could face even bigger headaches if they don't at some point upgrade to the most advanced wireless security standards.

Disabato says, "There's a lot of regulatory fear out there for people affected by the US HIPPA (Health Insurance Portability and Accountability Act) and Sarbanes-Oxley. People are nervous. If you get caught on something under Sarbanes-Oxley, and you have WPA2 running, you can at least say you did the best you could with the technology that was available."