Here are some guidelines to implementing EAP (Extensible Authentication Protocol) with TKIP (Temporal Key Integrity Protocol) for better wireless security. Majority of network are running on layer 2 access switches along with RADIUS (Remote Authentication Dial-In User Service) and DHCP (Dynamic Host Configuration Protocol). Every corporate would want to remain secure from any form of unauthenticated access which include a RAIDUS server failure by any intruder. RADIUS is the one which is performing the authentication of clients on behalf of a domain controller or DC holding the user database. No corporate allow a wireless client to be directly authenticated by a DC for the fact that DC does not understand the authentication mechanism wireless client are using. Therefore, RADIUS server performs this task on behalf of a DC. Another important service is a DHCP service which is responsible for allocating the IP address to the authenticated (RADIUS) clients.

Wireless clients uses EAP as authentication protocol when passing credentials against a RADIUS server which interns contact the DC and get the credentials verified again a DC. Once authenticated the client would then contact a DHCP server for an IP request thereafter permitted to enter the corporate network. The access of the wireless client will depend upon the customer security filters and other filters based on MAC etc. The most important factor for network designers is to make sure the RADIUS and DHCP server are placed in a location which is highly available and is out of reach from any form of intrusion.

Make sure a TKIP is configured with rekeying schedule set to alter both unicast and broadcast keys preventing them from any initial vector collisions attacks. If the network is fairly large then network designers are advised to keep some space for future growth which also includes planning RADIUS server scalability as well.

EAP specific design guidelines:

• EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) must be implemented using PKI (Public Key Infrastructure) infrastructure with a Certificate Authority issuing digital certificates.
• EAP-TLS and EAP-PEAP (Protected Extensible Authentication Protocol or Protected EAP) is recommended to configure wireless clients with certificates trusted by same Certificate Authority which will intern help preventing any illegitimate access. If you don't use any PEAP the MITM (Main In The Middle) attacks for identity spoof are a possibility.
• EAP-LEAP and EAP-PEAP with static passwords be used in environments where RADIUS server is configured to lockout a user account after 3-5 invalid attempts and a long password length is considered. Password must be set to expire aggressively and be changed.
• For EAP-TLS communications working through a RADIUS server be generic, a constant scheduled check on the Certificate Authority's CRL (Certificate Revocation List) to find out expired client certificates must be done.

WVLAN (Wireless Virtual LAN) integration can also be an option to be considered by network designers keeping different Wi-Fi network segments separated. For example the network management traffic can be separated from Internet accessing traffic. This part can be performed using RADIUS server's user and group based policies which works at the distribution layer.