Security
When designing for secure wireless connectivity, use the following best practices:
Use one of the following combinations of encryption and authentication for secure wireless in an organization network:
Wired Equivalent Privacy (WEP) and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
WEP and Protected EAP (PEAP)-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
Wi-Fi Protected Access (WPA)/Temporal Key Integrity Protocol (TKIP) and EAP-TLS
WPA/TKIP and PEAP-MS-CHAP v2
For the Small Office/Home Office (SOHO) wireless network without a Remote Authentication Dial-In User Service (RADIUS) server, the following combinations of encryption and authentication are recommended:
WEP with a static WEP key and open system authentication
WPA/TKIP and WPA with pre-shared key
For the strongest authentication configuration, wireless clients should have HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode set to 1. This setting enforces the use of a user certificate and user authentication after the user has successfully logged on. Computers running Windows XP (SP1 and later) and Windows Server 2003 have AuthMode set to 1 by default. Computers running Windows XP (prior to SP1) have AuthMode set to 0 by default.
To prevent rogue wireless access points (APs) from being attached to your wired network, use Ethernet switches that support 802.1X authentication for network ports that are accessible to users.
If you are using EAP-TLS authentication, do not also use PEAP-TLS. Allowing both protected and unprotected authentication traffic for the same type of network connection renders the protected authentication traffic susceptible to spoofing attacks.