WPA in action - Client "Enterprise" mode
As I previously described, the only differences between WPA-PSK and "normal" WPA is in where authentication itself takes place and the credentials used for authentication. In WPA-PSK mode, authentication takes place in the AP or wireless router, using the Pre-Shared Key manually entered in the AP and wireless clients as the credentials.
In "Enterprise" WPA, authentication is done in an authentication server using a variety of credential types including digital certificates, unique usernames and passwords, smart cards, or other forms of secure IDs. The AP or wireless router serves only to bridge the authentication traffic between the wireless and wired networks.
WPA uses EAP (Extensible Authentication Protocol) to enforce user-level authentication using the 802.1x Port-Based Network Access Control standard framework. EAP was designed to be extendable to support a variety of authentication methods and protocols. The exact methods supported depend on the client supplicant and authentication server used, and of course the method you select must be supported on both client and server!
As I noted earlier, it's turning out that WPA client supplicants are harder to implement than WLAN equipment vendors were led to believe. They're also sizable applications, since they contain most of the intelligence in authentication process. So the client end of things may end up determining the exact authentication methods used.
As Figure 9 shows, the Windows XP WPA patch supports only EAP-Transport Level Security (EAP-TLS) for certificate and smart card-based authentication and Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) for password-based authentication.
Figure 9: XP Client Authentication options
The Funk Odyssey and Meetinghouse AEGIS supplicants that some WLAN equipment vendors are either bundling or referring users to offer a wider choice of methods including EAP-TTLS, EAP-PEAP, EAP-TLS, Cisco's LEAP, and EAP-MD5.
That's about where I'm going to stop on this WPA mode, since the client side setup is very configuration and method dependent. Suffice it to say that if you're faced with setting up a client for WPA "Enterprise" mode, you'd better hope that your network administrator gives you clear instructions!
Now that you know what's involved in setting up WPA, it's time to finally see whether you'll be giving up throughput to use it!