Wireless Security and Deployment Considerations

When choosing an authentication method, balance the level of security that you require with the effort that you want to devote to deployment. For the highest level of security, choose PEAP with certificates (EAP-TLS). For the greatest ease of deployment, choose PEAP with passwords (EAP-MS-CHAPv2).

Although both PEAP with EAP-TLS and EAP-TLS alone provide strong security through the use of certificates for server authentication and for client computer and user authentication, when PEAP with EAP-TLS is used, client certificate information is encrypted. PEAP with EAP-MS-CHAPv2 requires the least effort to deploy because client authentication is password-based, so certificates do not need to be installed on clients. Because PEAP creates an end-to-end encrypted channel before EAP-MS-CHAPv2 authentication occurs, the authentication exchange reduces the risk of offline dictionary attacks.

Important

When you deploy both PEAP and EAP unprotected by PEAP, do not use the same EAP authentication type with and without PEAP. For example, if you deploy PEAP with EAP-TLS (PEAP/EAP-TLS), do not also deploy EAP-TLS without PEAP. Deploying authentication methods with the same type - one with and the other without the protection of PEAP - creates a security vulnerability.