EAP Types

The IEEE 802.11 standard as amended (including the 802.11i amendment) doesn’t dictate the EAP type that should be used. However, it does suggest that you use an EAP type supporting mutual authentication to implement Robust Security Network Associations (RSNA), which are logical connections between wireless clients and the network infrastructure APs. I’ve provided a comparison of the different EAP types, their capabilities and a recommendation as to whether they should be used in production networks or not, which Table A shows.

Of the three EAP types supported by Windows Server 2003, only EAP-TLS and PEAP should be used in a production environment. EAP-MD5 uses very weak authentication algorithms and should only be used for initial testing of a RADIUS server. Whether you choose to use EAP-TLS or PEAP, the RADIUS server will need a certificate. This certificate can be provided by the Certificate Services server available with Windows servers. You will need to implement a PKI (public key infrastructure) solution if you plan to use EAP-TLS because the clients (end nodes in this case) as well as the RADIUS server need to have certificates. PEAP requires only the server-side certificate. An out-of-the-box installation of IAS provides only PEAP and EAP-MD5 for wireless remote access policies.