This short primer will provide a few guidelines to consider when choosing an Extensible Authentication Protocol (EAP) method, one element of the authentication component of your Wi-Fi security plan.
Each EAP type can be used with different operating systems and back-end user databases, and each uses different types of user logins and credentials. This list is intended to help explain some of the basic traits of the most common EAP methods so you can consider them in the context of your own environment:
- EAP-TLS (Transport Layer Security)
If you are already running a public-key infrastructure (PKI), you can further leverage your investment using this method, because EAP-TLS requires both user and server digital certificates. It supports strong mutual authentication that eliminates the possibility of a dictionary attack on a password.
- EAP-TTLS (Tunneled Transport Layer Security)
This EAP method eliminates the client-side certificates. It's intended for organisations that cannot enforce a strong password policy, but want to avoid the management complexity of client-side digital certificates. Instead, EAP-TTLS passes user credentials through an encrypted tunnel. EAP-TTLS is actually required in organisations that wish to retain a non-EAP RADIUS infrastructure, such as those running Microsoft Active Directory. Such enterprises must front-end the RADIUS server with a TTLS server, which will convert EAP requests to legacy authentication methods.
- PEAP (Protected EAP)
PEAP is very similar to EAP-TTLS, above. The main difference is that PEAP supports just Windows XP and 2000 operating systems natively, while TTLS supports many more (including several Microsoft handheld platforms) natively.
Not generally recommended for wireless networks, because it does not support mutual authentication. This means that it verifies the client to the network, but not the network access point to the client. Thus, a client could unwittingly associate with a faux AP. However, EAP-MD5 can be used as the client authentication algorithm within the tunnel in TTLS and PEAP.
- LEAP (a.k.a., Cisco-EAP Wireless)
For use in homogeneous environments where only Cisco access points are deployed. LEAP supports mutual authentication and passwords, but is somewhat prone to offline dictionary attacks.
Other emerging EAP types to put on your radar screen:
EAP-FAST, EAP-GTC (General Token Card), EAP-SIM, EAP-AKA (Authentication and Key Agreement). The last two are intended for cellular devices and will become important as dual-mode Wi-Fi/cellular handsets become available.