This article one in a short series of primers on deploying wireless LAN security, will talk about using authentication to keep your WLAN secure.
WLAN security, as mentioned in recent articles, comprises several components working together to tackle different types of security threats. One component is strong authentication: making sure users are who they claim to be before they can access the network.
Start with the framework
To that end, the IEEE 802.1X protocol has become the standard authentication framework in enterprise-class WLANs. By "framework," I mean kind of a "handshaking model" among clients, access points and authentication databases for authenticating and controlling user traffic.
802.1X ties an IETF-standard protocol called Extensible Authentication Protocol (EAP) to the wireless (and wired) LAN and supports multiple authentication methods. The EAP methods (the exact procedure for authentication) bear acronyms such as EAP-TTLS and PEAP.
If this sounds complex, our two-part guide to setting up 802.1X in sixty minutes may convince you otherwise.
Choosing an EAP
To distinguish among these pieces, EAP is the transport method for carrying the authentication method (EAP-TTLS, PEAP). You choose the authentication method yourself - the one you think will work best in your environment, both from the point of view of security strength and management, to verify the authenticity of users (we have a brief guide to choosing an EAP). As for 802.1X and EAP protocols, Wi-Fi products marked as "WPA2-certified" or "802.11i-certified" by the Wi-Fi Alliance will support these components automatically.
The EAP method you choose must be supported in software both in your WLAN clients and in your RADIUS authentication server; if there isn't a match, the authentication process won't work.
Most Wi-Fi client software, also called "supplicant" software in Wi-Fi security vernacular, supports many different EAP methods, as do many available RADIUS authentication servers, giving you a range of choices. Still, if there isn't a match, find out if you can install your EAP method of choice onto the authentication server you are using or wish to deploy.
Legacy devices need special treatment
Note: When I say that "most client software" supports multiple EAP methods, I'm talking primarily about laptop supplicants. There are still many legacy data devices and voice handsets that are behind the times in their ability to support the latest Wi-Fi security.
It's a good idea to cluster all older or otherwise memory-challenged devices that can't support your primary security policy into a class (or classes) of their own, and create "best-you-can-do" security policies for these devices.