Microsoft has been accused of holding up implementation of wireless LAN security - but other observers claim it is leading the way.

The 802.11i security specification has been complete for two years, but Microsoft has taken till now to fully support the WPA 2 brand, based on 802.11i, according to an article in eWeek, in which Andrew Garcia comments, "when all is said and done, companies will have waited almost three years to be able to adopt the strongest levels of wireless security for Microsoft wares without needing to investigate a third-party supplicant."

But slow or not, this is better than other operating systems, argues George Ou at ZDnet: "Even today, no other platform such as Linux or Mac OS has any native ability to globally manage wireless clients," says Ou, "nor do they have the native ability to centrally manage the PKI requirements needed to enable strong authentication."

Microsoft added WPA2 into clients last summer, with an optional patch for Windows XP Service Pack 2, and has promised to add it to the eventual Longhorn Server, and to Service Pack 2 for Windows 2003.

The 802.11i security specification was ratified two years ago, and the Wi-Fi Alliance quickly began to certify parts of it in the the WPA 2 branding programme.

"[Microsoft] sits on the board of the Wi-Fi Alliance, and yet has seemed relatively indifferent to corporate and government interests in having the strongest form of Wi-Fi link layer security available across its platforms and management systems," said Glenn Fleishman of blog Wi-Fi Net News.

The XP patch lets users have AES encryption and 802.1x authentication, but they have not been able to manage these features by Microsoft's Group Policy tool - they have had to stick with the weaker WPA or WEP security, says Garcia.

Even the implementation in the latest beta of Longhorn server is still lacking, according to Garcia. It supports EAP-TLS, and PEAP, Microsoft's preferred version of the Extensible Authentication Protocol, but does not support others approved by the Wi-Fi Alliance, such as EAP-TTLS, PEAP/EAP-GTC or EAP-SIM.

"Since most clients and servers now support most secured EAP methods, it’s a little silly for Microsoft to stick to one option," says Fleishman. "There’s no advantage for them, and it restricts customer choice."

But Ou reckons EAP-TLS and PEAP are plenty. Most people haven't even heard of and don't care about "obscure" EAP protocols like EAP-SIM and GTC, he says. He also points out other useful features for corporates: Windows XP with the WPA 2 patch can connect to the wireless network and get updates and patches, before the user is logged in, thanks to "wireless machine login," which no other OS has, says Ou.