Enterprise WLAN Authentication
Choosing an 802.1x type

It is important to choose a 802.1x type that is most compatible with the existing network. The available methods are LEAP, EAP, and PEAP. 802.1x does not specify what authentication types to use. The main considerations when choosing an authentication type are easy integration and adequate security.

Figure provides a listing of the major elements to consider before deploying 802.1x based security:

  • Choose a method that fits in with the existing network.
  • Choose a method that supports mutual authentication.
  • Review the security policy and find out what 802.1x types are compatible.

Finally, look at the clients to be protected and choose the best way to secure the existing equipment.

LEAP
LEAP provides a complete WLAN solution. LEAP should be used when a single logon to the Windows NT domain or Active Directory is required. Active Directory is an essential component of the Windows 2000 architecture and presents organizations with a directory service designed for distributed computing environments. Active Directory allows organizations to centrally manage and share information on network resources and users while acting as the central authority for network security. In addition to providing comprehensive directory services to a Windows environment, Active Directory is designed to be a consolidation point for isolating, migrating, centrally managing, and reducing the number of directories that companies require.

LEAP can also be used when dynamic WEP key and mutual authentication is required. Remember that TKIP should be used to secure LEAP.

EAP-TLS
EAP should be used when there is a need to use digital certificates for user identification. EAP is the best solution when there is an existing Public Key Infrastructure (PKI) in place. PKI ensures that sensitive electronic communications are private and protected from tampering. It provides assurances in the identities of the participants in those transactions, and prevents their later denial of participation in the transaction.

EAP-TLS can also be used to associate login with NT/2000 and Lightweight Directory Access Protocol (LDAP). LDAP allows users to take advantage of directory services to integrate Network Registrar client and lease information. By building on the existing standard schema for objects stored in LDAP directories, users can handle information about dynamic host configuration protocol (DHCP) client entries. So, instead of maintaining client information in the DHCP server database, the Network Registrar DHCP server can be asked to issue queries to one or more LDAP servers for information in response to DHCP client requests.

PEAP
PEAP can be used when dynamic WEP key and mutual authentication is required. Remember that TKIP should be used to secure LEAP.

EAP-TLS can also be used to associate login with NT/2000, LDAP, Novell Directory Services (NDS), one-time passwords (OTP) servers, and structured query language (SQL) database servers. When using PEAP, digital certificates are required only on the server side.