I'm using PEAP in a Microsoft-centric environment as an authentication method for my wireless LAN. What steps should I use to secure my deployment?

PEAP is a common authentication option for wireless networks, and is widely adopted by Microsoft-centric organisations due to native client support in Windows XP and Vista. PEAP can be a strong authentication choice for wireless LAN environments, if organisations follow a few steps to ensure the integrity of the deployment.

Disable unused EAP types on the RADIUS server

If your organisation is using PEAP as the sole authentication mechanism, ensure that PEAP is the only permitted EAP type.

Use a trusted certificate for authentication

The RADIUS server must be configured with a digital certificate that is signed by a trusted certificate authority (CA), using a private or a public CA.

Validate the server certificate on all clients

All PEAP clients must validate the server certificate for authentication. Failure to validate the server certificate compromises the integrity of the PEAP exchange.

Identify the issuing certificate authority on clients

By default, the Windows XP client trusts all the root certificate authorities in the certificate store. Workstations should be configured to select only the certificate authority that issued the server certificate.

Identify the authentication server hostname on clients

By default, the Windows XP PEAP supplicant will accept any trusted digital certificate for authentication, allowing an attacker to impersonate the legitimate RADIUS server if the signing authority is also trusted. To mitigate this vulnerability, configure the PEAP supplicant to identify the authorised RADIUS servers by selecting the "Connect to these servers" options. Supply the name of the RADIUS server that matches the hostname identified on the server certificate.

While configuring or reconfiguring a large number of clients to meet these recommendations can be a daunting task, organisations using Windows Group Policy Options (GPO) can automate the application of these settings. Using the Group Policy Object Editor, organisations can add a policy to the Wireless Network object container, identifying the corporate SSID as a PEAP network, with the recommended configuration settings.

PEAP can be a secure authentication choice for wireless networks, provided it is installed consistently with these recommended settings. Failure to deploy PEAP as described could leave organisations open to attack.
Joshua Wright is the senior security researcher for Aruba Networks, and the author of the SANS Institute 'Assessing and Securing Wireless Networks' course. This article appeared in Network World.