Securing your wireless network provides tremendous cost savings, productivity benefits, and a competitive market advantage. It’s not a question of whether enterprises will require wireless network security, but when. Choosing the highest level of security available is a good investment, because security breaches can be a significant expense. Most attacks go unnoticed, and enterprises can be vulnerable to damages. Security breaches such as stolen information, corrupt data, and network downtime can be expensive. They can also result in consequential damages, such as those resulting from increasing a competitor’s position or market share at the expense of your future revenues and profitability. The cost can be both significant and recurring.

In table 1, we compare several families of EAP methods we have considered in this tutorial: legacy, certificate, password, and strong password. For an explanation of the requirements and features found in the left hand column, see Section 2. As shown in the table, older EAP methods such as EAP-MD5 are not suitable for wireless authentication because they do not meet all the requirements.

Both the certificate-based methods and the strong password methods meet the basic requirements and may be used on wireless networks. Certificate-based methods possess some special properties that may be valuable in some environments, such as the ability to protect and augment legacy methods that may already be in use. However, the password method is much easier to set up and administer.

The SPEKE method fits especially well into environments where certificates are not practical; such as for SOHO users and public hot spots. SOHO users will find SPEKE is easy to implement and low cost. Carriers and service providers will find SPEKE very flexible, since it is not proprietary to specific infrastructures. SPEKE can be implemented easily into SOHO and hot spot environments where client distribution can be controlled and managed, because clients can be downloaded from a website or provided on an installation CD with the access points.

Note: Readers who are interested in the technical aspects of EAP-SPEKE should read APPENDIX A.

---

	Legacy EAP Methods (EAP-MD5)	Certificate (TLS, TTLS, PEAP)	Password (LEAP)	Strong Password (SPEKE, etc.)
Must Haves
Mutual	No	Yes	Yes	Yes
Self Protecting	Yes	Yes	Yes	Yes
Immune to dictionary attacks	Only with long, randomly generated passwords	Yes	No	Yes
Produces session keys	No	Yes	Yes	Yes
Credential Security	None	Strong	Weak	Strong
Should Haves
Authenticates User	Not with long, randomly generated passwords	Not if cert is stored on disk	Yes	Yes
Foreward Secrecy	N/A	Not with commonly used cipher suites	Yes	Yes
Quick and efficient	Yes	No	Yes	Yes
Low maintenance cost	Yes	No	Yes	Yes
Convenient for users	Yes	Only if cert is stored on disk	Yes	Yes
Broad AP Support	Yes	Yes	No	Yes
May Haves
Augments legacy	N/A	Yes	No	No
Fast Reauthentication	No, must go to home domain	Yes	No	No, must go to home domain

Table 1 - Comparison of EAP Methods