Security in wireless network is a very essential and while designing a WLAN you have to focus and consider the following important aspects of security.
In WLAN we have different security protocols for security. One of the famous protocol is WEP (Wired Equivalent Privacy) that emerge with 802.11b standard but it is faulty and vulnerable to several attaches. WPA2 is a better option as compare to WEP where you have more security. WPA2 involves 802.1x which work on the top 802.3 and 802.11 and provide you the authentication to individual users and devices using the protocol EAP and with some authentication server like RADIUS. WPA2 also involve RSN (Robust Security Network) which keep track of your the association to each access point. For confidentially and integrity we have AES (Advanced Encryption Standard), which have strong encryption like 128bit or 256 bit or more.
Another security design issue we have to deal with that is unauthorized access. Remember in WLAN there is no physical boundary of a network, so an attacker can access your network from outside of your physical security with using mobile devices or with laptop having Wi-Fi. We have MAC address filtering using this we can provide access to only authorize users and devices but now a day there are number of software out their which can spoof MAC addresses into your Access point (AP). Also MAC filter is not a scalable way and it is difficult to manage and control with large number of users. You can use the 802.1x for limiting unauthorized access.
802.1x provide the port base security and it is the best for handling unauthorized access and good alternative for MAC address filtering. 802.1x authenticate the user before providing the access to network.
Authentication Choices for WLAN:
In WLAN you can understand the authentication process with the following figure:
In 802.1x you have a supplicant as a end device like computer or laptop and you have a authenticator which can be a switch or an access point. Also you have an authentication server which may a Radius server. Authenticator has control channels which are used for authentication the supplicant (Laptop) to Radius Server and have uncontrolled cannels which authenticate the supplicant by using different security protocols. These security protocols are very important for choosing the final security protocol for you wireless design and as follows:
EAP-TLS (Extensible Authentication Protocol- Transport layer security):
It is commonly use EAP wireless network, you need to a certificates at supplicant and authentication server end and it is the most secure available method. You need to have the key pair for these certificates which have to sign by some certificate authority. You can place your CA server with authentication server or in server form. The EAP-TLS use a communication method like the SSL and you have a secure tunnel for sending these user certificates. Although EAL-TLS is most secure method but it is more complex and expensive to deploy as compare to other security protocols. EAP-TLS is the complete security solution for large organization.
PEAP (Protected Extensible Authentication Protocol)
PEAP is a wireless security protocol. In PEAP as compare to EAP-TLS you only have the server side certificates and these certificates are used to create the tunnel and real authentication are take place inside that tunnel. PEAP is the mostly used by Cisco and Microsoft, in Microsoft windows-PEAP uses the CHAP and MS-CHAP for authenticating users inside the tunnel.
EAP-TTLS (Extensible Authentication Protocol- Tunneled Transport Layer Security):
EAP-TTLS is a one of the old security protocol which is use for the wireless security and only used where you the old authentication devices or in Windows NT environment. It is like the PEAP and use a TLS tunnel for protection. EAP-TTLS mostly use the CHAP, MS-CHAP and EAP-MD5. Although EAP-TTLS are introduces earlier but Microsoft and Cisco are mostly using the PEAP.
LEAP (Lightweight Extensible Authentication Protocol)
LEAP is a Cisco Property security protocols for wireless network, it work with the 802.1x standard. It is support by Cisco Aironet products and other wireless devices and also support by most Microsoft and Linux operating systems. LEAP has some vulnerability and can be crack with different software but it is still used by different organization having Cisco devices.
EAP-FAST is security protocol use for wireless network.
This is flexible security via a tunneling and it also develops for overcoming the weakness and vulnerabilities of the LEAP. With EAP-FAST server certificates are optional but it gives you a lower cost solution as compare to PEAP and EAP-TLS. EAP-EAST use the PAC (Protected access credentials) for establishes the TLS tunnel for protection of credentials and transfer. PAC (Protected access credentials) is basically a strong shared secret key and it is unique on every single client. EAP-FAST is the best option for small to medium wireless network.