Selecting the appropriate Extensible Authentication Protocol (EAP) method for your wireless network is a pivotal security decision and often not an easy one.

Some EAP methods such as Cisco LEAP and EAP-MD5 should never be used due to their inherent security flaws [LEAP's weakness was exposed in 2003, and here is advice on how to migrate away from it; the MD5 flaw is discussed here].

Despite this, selecting among secure EAP types such as PEAPv0, PEAPv1, TTLS, and EAP/TLS can be challenging.

The criteria for selecting an EAP type often comes down to the supporting infrastructure that is already in place in your organisation.

Client EAP Support
Your primary client OS will play an important role when you select an EAP type. Client operating systems such as Windows XP come with integrated support for PEAP and EAP/TLS but do not natively support TTLS or EAP-SIM.

If you want to use one of these alternate EAP types you can use third-party software, but this does not allow administrators to leverage the strengths of Windows XP, such as group policy controls.

Authentication Server Support
Not all EAP types support the different authentication credentials used in enterprise networks. For example, PEAPv0 is limited to authenticating users with MS-CHAPv2, while EAP/TLS relies on client-side digital certificates for authentication.

TTLS is the most flexible in this regard, allowing users to leverage any number of authentication credentials.

Which EAP method is best for your organisation? It depends on your primary motivators for wireless authentication. If security is your primary motivator, EAP/TLS is the most secure EAP mechanism, but it requires a PKI deployment for all end users.

If flexibility is your primary motivator, TTLS will accommodate nearly any authentication protocol, including one-time pads, token-based authentication, and popular password authentication mechanisms.

If simplicity of deployment is your primary motivator, PEAPv0 is the logical choice for Windows-centric networks with built-in support for clients and Windows Active Directory authentication sources.

Carefully selecting an EAP type is an important part of your wireless strategy. Like many decisions in the IT industry, you need to choose among security, flexibility, and simplicity, depending on the requirements of your organisation.

Joshua Wright is a senior security architect for Aruba Networks and an editorial board member of the WVE. When he's not breaking wireless networks, he likes to work on his house, where he ends up breaking things of a different sort.
This article first appeared in Network World.