What is the best EAP type to use when setting up an enterprise WLAN?

Selecting the appropriate Extensible Authentication Protocol (EAP) method for your wireless network is a pivotal security decision and often not an easy one. While some EAP methods such as Cisco LEAP and EAP-MD5 should never be used due to their inherent security flaws, selecting among secure EAP types such as PEAPv0, PEAPv1, TTLS, and EAP/TLS can be challenging.

The criteria for selecting an EAP type often comes down to the supporting infrastructure that is already in place in your organization.

Client EAP Support: Your primary client OS will play an important role when you select an EAP type. Client operating systems such as Windows XP come with integrated support for PEAP and EAP/TLS but do not natively support TTLS or EAP-SIM. If you want to use one of these alternate EAP types you can use third-party software, but this does not allow administrators to leverage the strengths of Windows XP, such as group policy controls.

Authentication Server Support: Not all EAP types support the different authentication credentials used in enterprise networks. For example, PEAPv0 is limited to authenticating users with MS-CHAPv2, while EAP/TLS relies on client-side digital certificates for authentication. TTLS is the most flexible in this regard, allowing users to leverage any number of authentication credentials.

Which EAP method is best for your organization? It depends on your primary motivators for wireless authentication. If security is your primary motivator, EAP/TLS is the most secure EAP mechanism, but it requires a PKI deployment for all end users. If flexibility is your primary motivator, TTLS will accommodate nearly any authentication protocol, including one-time pads, token-based authentication, and popular password authentication mechanisms. If simplicity of deployment is your primary motivator, PEAPv0 is the logical choice for Windows-centric networks with built-in support for clients and Windows Active Directory authentication sources.

Carefully selecting an EAP type is an important part of your wireless strategy. Like many decisions in the IT industry, you need to choose among security, flexibility, and simplicity, depending on the requirements of your organization.