ESTABLISHING WIRELESS ROBUST SECURITY NETWORKS: A GUIDE TO IEEE 802.11I
Table 6-4. Questions for Identifying an Appropriate EAP Method
Question Analysis
Does the WLAN solution need to
support guest users?
Organizations that want to use WLAN technology to provide connectivity to
business partners, customers, and guests need an RSN solution based on
an EAP method for which there is nearly universal support across potential
clients. This requirement effectively limits the selection of EAP methods to
those that are supported natively by Microsoft Windows, given its widespread
use. Microsoft Windows (XP or newer) supports PEAP and a native version
of EAP-TLS. PEAP provides the best support for guest users because it
does not require the presence of a client certificate. However, it does not
eliminate the requirement to deploy the root certificate on the client. Also,
the guest user’s PEAP must be compatible with the organizational server’s
PEAP, and care should be taken that neither version contains known
vulnerabilities. EAP-TTLS provides better support for guest users, since it
does not require client certificates, does not have PEAP’s version
incompatibilities, and EAP-TTLS/PAP can be used with any user
authentication database.
Will the WLAN solution support
equipment from multiple WLAN
vendors?
The greater the interoperability requirement, the greater the need to use a
commonly used EAP method such as EAP-TLS, EAP-TTLS or PEAP.
Proprietary solutions can commit an organization to a single vendor and can
complicate upgrades and migrations.
Does the organization currently
have a PKI? Does it issue client
certificates?
The presence of a PKI greatly facilitates the use of certificate-based methods
that require each STA to have a certificate, such as EAP-TLS. EAP-TLS is
thus an attractive option if the PKI issues client certificates. If no PKI is
available, then the organization should obtain a server certificate from an
external PKI provider or consider secure password-based EAP methods.
Does the organization deploy
smart cards and readers?
If a smart card infrastructure is already in place, EAP-TLS generally offers
the greatest security. Support for smart card-based EAP-TLS solutions is
native to recent versions of Microsoft Windows. Alternatively, the session
resumption features of PEAP/EAP-TLS or TTLS/EAP-TLS permit the STA to
remain connected when roaming, without having to leave the smart card (i.e.
ID badge) in the reader all of the time.
Does the organization have an
enterprise identity management
system?
If the organization has an enterprise identity management system, then there
are probably strong security and cost incentives to leverage that system.
The appropriate EAP method to deploy depends on the characteristics of the
identity management infrastructure.
Does the organization need to
support legacy authentication
methods?
If a requirement for a legacy authentication method exists, then this method
should be protected in a TLS session, especially if the legacy method sends
authentication credentials in clear text. EAP-TTLS, EAP-FAST, and PEAP
all provide support for TLS tunneling.
Does the organization need to use
an existing user database?
If an existing user database is to be used, the EAP method must be
compatible with the format in which user credentials are stored.
Is the organization especially
concerned about the overall cost
of the solution?
Certificate-based EAP methods are more costly to implement and maintain
than password-based methods.
Does the organization require a
high assurance WLAN solution?
High assurance solutions should consist of strong two-factor cryptographic
authentication. One approach to achieve this requirement is EAP-TLS with
certificates on PIN or password-protected smart cards. Another approach is
PEAP or EAP-TTLS with Generic Token Card (GTC) or possibly a biometric
solution.
6-13