Gartner issues false alarm on Microsoft WPA2 warning

Updated 6/2/05: If the confusion over the recent addition of four EAP authentication protocols to the WPA2 standard wasn’t already high enough, Gartner’s recent attempt to bring clarity to the matter has exacerbated the problem.

Updated 6/2/05: If the confusion over the recent addition of four EAP authentication protocols to the WPA2 standard wasn’t already high enough, Gartner’s recent attempt to bring clarity to the matter has exacerbated the problem.  The actual report in PDF form itself wasn't really too alarmist, but it was this article from the report's authors John Pescatore and Ken Dulaney that has spawned a rash of dire warnings in the press that Microsoft is somehow falling short on WPA2 because it’s new WPA2 patch is missing the four new extended EAP types that were only added by the Wi-Fi Alliance last month.  Originally, the WPA and WPA2 standard only certified a single EAP protocol called EAP-TLS, which is universally supported by all manufacturers since it is the original EAP protocol used for wireless LAN authentication.  Last month, the Wi-Fi Alliance added four additional EAP types to the WPA enterprise and WPA2 enterprise standards.  For an in-depth look at WPA/WPA2 and all five certified EAP protocols, I've posted a follow-up story here.

Note that these changes to the WPA and WPA2 standard only pertain to the "enterprise" version and not the "personal" version.  The WPA enterprise standard is meant for businesses or organizations and mandates compliance with the five security-certified EAP authentication protocol while the WPA personal standard is meant for the home or small office and only requires the use of a pre-shared key for authentication.  The personal versions of WPA and WPA2 are also known as WPA-PSK and WPA2-PSK mode and you will often see this terminology in device configurations.

Since the addition of the four new EAP types to the WPA and WPA2 standard is only a month old, one would hardly expect that the Microsoft WPA2 patch, which was probably in the works for quite some time, to magically be compliant with the new Extended EAP types.  This is the exact reason the Wi-Fi Alliance is giving vendors a grace period to comply with the modified WPA2 standard.  Gartner is warning people to be very careful that the Microsoft WPA2 client is compatible with their existing infrastructure before committing to it, which sounds dire for the average IT manager.  But in proper context, the warning sounds pretty comical because the chances are about 99.99 percent that the Microsoft WPA2 client is compatible with their existing infrastructure. 

Keep in mind that you get the WPA2 supplicant for the four-year-old Windows XP as a free download, so you’re at liberty to use it or not. In contrast, Apple didn’t even support WPA until MAC OS 10.3 which is less than two years ago.  I don’t know of a single "infrastructure" in the world that can’t support Microsoft’s PEAP and EAP-TLS implementations since they are the de facto standard given the enormous market share of Windows 2000 and XP.  Furthermore, the use of the word "infrastructure" in this context is highly dubious since most of the wireless LAN infrastructure is composed of 802.11 access points and access point controllers that are EAP agnostic since they act strictly as a pass-through for all EAP authentication protocols -- including the ones certified for WPA and WPA2.  In other words, no explicit compatibility is required.  The only exceptions to this rule are the two proprietary Cisco EAP types LEAP and EAP-FAST, which only operate through Cisco Access Points, but neither EAP type is on the WPA or WPA2 standard.  All standard EAP transactions will flow through a standard 802.1x-capable access point with ease.  What dictates compatibility in EAP types is the supplicant (the client software on the user's computer) and authentication server (RADIUS server) to which the authentication attempt is passed after it passes through the access point.

The bottom line is that any of the WPA/WPA2 Extended EAP protocols are secure.  Of the five certified EAP protocols, Microsoft already supports the two most common EAP types.  Eventually, it would be nice to see Microsoft support the three remaining extended WPA/WPA2 EAP authentication protocols; and, once the grace period for the WPA2 Extended EAP types run out, Microsoft may have to add them or risk losing their WPA2 logo certification.  For now, the biggest challenge for most organizations is to move on to some form of enterprise WPA let alone WPA2.  Most businesses are still operating in dangerous waters with WEP encryption and some easy to crack EAP authentication protocol like LEAP.  The last thing they need to be worried about is having to support for all five flavors of WPA/WPA2 EAP since any one of them, including the two currently supported by Windows, will suffice in pretty much any situation.

[Editor's Note: This post was revised and updated on 6/2/05. The full text of George Ou's original post can be found here.]