Microsoft WPA2: How to look a gift horse in the mouth
There's an old proverb: Do not look a gift horse in the mouth. This basically means when someone gives you something like a horse for nothing, you don't look in that horse's mouth and complain that the horse has bad teeth. This is why I was really taken aback when I read Andrew Garcia's article "Microsoft Finally Catching up With WPA2". Oh really? Catching up with whom?"
Last year when Microsoft shipped SP1 (Service Pack 1) for Windows Server 2003, Windows XP was the first OS to receive native WPA and WPA2 support. the ability to manage WPA globally on a domain level was a welcome addition to the original Windows Server 2003 to globally configure 802.1x and EAP on Windows XP. WPA adds strong* encryption to replace the easy to break WEP or even rotating WEP key algorithm. Even today, no other platform such as Linux or Mac OS has any native ability to globally manage wireless clients nor do they have the native ability to centrally manage the PKI requirements needed to enable strong authentication. Some third party wireless clients can integrate with third party management tools to push configurations via custom scripts, but this isn't nearly as easy as the Group Policy configuration built in to Windows Server 2003 nor is the additional cost zero.
In addition to the wireless management capability of Windows Server 2003, a complete suite of RADIUS authentication and PKI Certificate Authority infrastructure is included which natively ties in to Active Directory. Linux has open source implementations of PKI Certificate Authorities and a RADIUS authenticator, but it isn't all seamlessly tied together and it doesn't have any client-side management capability. On a positive note for the Linux based solution, FreeRADIUS can tie in to non-Microsoft user directories via LDAP which makes it a more cross platform solution. While one could say that the Microsoft solution favors the Windows platform and Microsoft's Active Directory (though it can support unmanaged Linux and Mac clients), saying that it's "catching up" is hardly accurate.
Windows XP received a WPA2 patch soon after SP1 was released for Windows Server 2003, but all Garcia can focus on is the fact that it couldn't yet be managed with Windows Server 2003 SP1 until the release of SP2. It would have been really nice if the Windows Server team had released WPA and WPA2 management support at the same time with SP1, but it wasn't ready yet and WPA2 was only recently completed at the time. When the news came that Microsoft Server 2003 SP2 and Longhorn will add WPA2 management capabilities, Garcia decides to criticize Microsoft for not supporting some of the more obscure EAP protocols like EAP-GTC and EAP-SIM which most people haven't even heard of or care about. EAP-TTLS is a standardized protocol from Funk software which is also missing but there isn't anything wrong with standardized EAP-TLS or PEAP which are the most universally supported EAP types on any OS platform.
Windows XP was the first OS to receive native WPA and WPA2 support but you would have thought that Microsoft was last after reading Garcia's critique. One of the lesser known features is that Microsoft XP's supplicant is the only client with wireless machine login which means it can connect to the Wireless LAN before a user actually logs in to the computer. Machine login allows computers to receive policy updates from a Windows Active Directory during the login process so it is a critical feature on a corporate network. Cisco touts its own proprietary Wireless client as the superior solution, but their own documentation tells you that you must resort to the standard Windows XP client if you want machine login capability.
As always, if Mr. Garcia (or anyone else) feels that I have critiqued his critique unfairly, he's free to respond or post in our talkback because I would love to hear and learn about superior wireless LAN platforms if anyone can find any. If not, take Confucius' advice and try to present the news in the right context.
* WPA offers strong enough encryption in the sense that it offers TKIP encryption with the option of really strong AES encryption. WPA2 mandates both TKIP and AES capability.