Let's review the basics. Every communication generally starts with some kind of introduction. The TCP handshake, an ARP request, DHCP broadcast, etc..

Between a laptop and access point (or in proper parlance, a "station" and "access point"), there are three types of layer 2 frames that handle 802.11 / Wi-Fi communication: management, control, and data frames. For now, let's just focus on the management frames for which there are ten sub-types of:

- Beacon
- Probe Request
- Probe Response
- Authentication
- Deauthentication
- Association Request
- Association Response
- Reassociation Request
- Reassociation Response
- Disassociation

These low-level "signalling" calls make-up the majority of Wi-Fi communications. The rest is either payload (802.11 data frames) or link control (802.11 control frames: RTS, CTS, ACK).

The following is a typical scenario where a station associates to an open (non-encrypted) access point that is broadcasting the SSID. The link below is a packet trace of this basic 802.11 connection process. In order to focus on the key points of the connection sequence, most of the extraneous packets such as the constant beaconing, layer 2 acknowledgements, etc., have been filtered out. Use a packet sniffer application such as Wireshark to view it.

Basic 802.11 connection trace

In this example, the station is a Windows XP Professional SP2 machine with a hostname of myhomepc01 using an Intel-based wireless card. The access point is a Cisco 1220 with a hostname of myhomeaccesspoint. The SSID has a value of myhomessid. Once the association process has completed, a D-Link router acting as the DHCP server and gateway hands out IP addresses with the local DNS domain name value of myhomenetwork.net. Once the station has been assigned an IP address, it starts to perform automated functions such as time synchronizations (example shown with an initiating DNS request for time.windows.com), etc.. Note that in most home setups, the access point and router is generally the same all-in-one device. In order to distinguish the functions of an access point from an IP router, they have been separated here.

1) The access point broadcasts a Beacon (which contains the SSID representing the wired network that the access point is physically connected to) ten times a second. Assuming the station is within physical radio range, it picks up this broadcast.

        Timestamp: 0x00000000025CB192
        Beacon Interval: 0.102400 [Seconds]
        Capability Information: 0x0421
        SSID parameter set: "myhomessid"
        Supported Rates: 1.0(B) 2.0(B) 5.5(B) 6.0(B) 9.0(B) 11.0(B) 12.0(B) 18.0(B) 
        DS Parameter set: Current Channel: 4
        Traffic Indication Map (TIM): DTIM 1 of 2 bitmap empty
        ERP Information: no Non-ERP STAs, do not use protection, short or long preambles
        Extended Supported Rates: 24.0(B) 36.0(B) 48.0(B) 54.0(B)
        Cisco Unknown 1 + Device Name
        Vendor Specific: Aironet Unknown
        Vendor Specific: Aironet CCX version = 4
        Vendor Specific: Aironet Unknown
        Vendor Specific: WME
        Vendor Specific

2) The station (as its radio and wireless management software initializes) broadcasts out a Probe Request for any access point bearing the SSID of a wireless connection profile that exists in the operating system configuration. The access point sends back a Probe Response.

        SSID parameter set: "myhomessid"
        Supported Rates: 1.0(B) 2.0(B) 5.5 11.0 6.0 9.0 12.0 18.0 
        Extended Supported Rates: 24.0 36.0 48.0 54.0 

        Timestamp: 0x00000000025D3AA0
        Beacon Interval: 0.102400 [Seconds]
        Capability Information: 0x0421
        SSID parameter set: "myhomessid"
        Supported Rates: 1.0(B) 2.0(B) 5.5(B) 6.0(B) 9.0(B) 11.0(B) 12.0(B) 18.0(B) 
        DS Parameter set: Current Channel: 4
        ERP Information: no Non-ERP STAs, do not use protection, short or long preambles
        Extended Supported Rates: 24.0(B) 36.0(B) 48.0(B) 54.0(B) 
        Cisco Unknown 1 + Device Name
        Vendor Specific: Aironet Unknown
        Vendor Specific: Aironet CCX version = 4
        Vendor Specific: Aironet Unknown
        Vendor Specific: WME
        Vendor Specific

3) The station sends an Authentication Request to the access point. This "authentication" is really just a formality - there's no real authentication happening here, unless the access point is using WEP configured for Shared Key (as opposed to Open System) in which case it will send back a challenge. Shared key is rarely used and generally not recommended since it's prone to simple cryptographic attacks. The access point responds with an Authentication response to the station.

        Authentication Algorithm: Open System (0)
        Authentication SEQ: 0x0001
        Status code: Successful (0x0000)

        Authentication Algorithm: Open System (0)
        Authentication SEQ: 0x0002
        Status code: Successful (0x0000)

4) The station sends an Association Request. The access point notes the MAC address of the station, adds it to its session list, and sends back an Association Response.

        Capability Information: 0x0421
        Listen Interval: 0x000a
        SSID parameter set: "myhomessid"
        Supported Rates: 1.0(B) 2.0(B) 5.5(B) 6.0(B) 9.0(B) 11.0(B) 12.0(B) 18.0(B) 
        Vendor Specific: WME
        Extended Supported Rates: 24.0(B) 36.0(B) 48.0(B) 54.0(B) 

        Capability Information: 0x0421
        Status code: Successful (0x0000)
        Association ID: 0x0008
        Supported Rates: 1.0(B) 2.0(B) 5.5(B) 6.0(B) 9.0(B) 11.0(B) 12.0(B) 18.0(B) 
        Extended Supported Rates: 24.0(B) 36.0(B) 48.0(B) 54.0(B) 
        Vendor Specific: WME

This association process typically completes in less than a second.

Since the link layer has now been established, the station (and the user) can now send IP-based traffic to the network, including DHCP negotiation packets (only the Offer packet is displayed below), DNS queries ... and eventually, an HTTP request to Google for naked celebrities.

    Message type: Boot Reply (2)
    Hardware type: Ethernet
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x5c21e082
    Seconds elapsed: 0
    Bootp flags: 0x0000 (Unicast)
    Client IP address: 0.0.0.0 (0.0.0.0)
    Your (client) IP address: 192.168.1.101 (192.168.1.101)
    Next server IP address: 0.0.0.0 (0.0.0.0)
    Relay agent IP address: 0.0.0.0 (0.0.0.0)
    Client MAC address: Intel_cb:4b:f8 (00:0e:35:cb:4b:f8)
    Server host name not given
    Boot file name not given
    Option: (t=53,l=1) DHCP Message Type = DHCP Offer
    Option: (t=1,l=4) Subnet Mask = 255.255.255.0
    Option: (t=51,l=4) IP Address Lease Time = 3 hours
    Option: (t=15,l=17) Domain Name = "myhomenetwork.net"
    Option: (t=3,l=4) Router = 192.168.1.1
    Option: (t=6,l=4) Domain Name Server = 192.168.1.1
    Option: (t=54,l=4) Server Identifier = 192.168.1.1
    End Option
    Padding

    Transaction ID: 0xb0dd
    Flags: 0x0100 (Standard query)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        time.windows.com: type A, class IN

When the station disconnects from the network gracefully by going through the formal disassocation process, the station sends a management frame with the subtype of Dissassociate, and the access points follows with a Deauthentication notice.

        Reason code: Unspecified reason (0x0001)

        Reason code: Previous authentication no longer valid (0x0002)

Virtually all access points have a feature which allows the hiding / obfuscation of the SSID being broadcasted by the radio. Some people think this cloaks their network from outsiders. However, this "hidden SSID" is really only half the story. In reality, the Beacon is still transmitted with the SSID field set to a null value.

        Timestamp: 0x000000000EBD7192
        Beacon Interval: 0.102400 [Seconds]
        Capability Information: 0x0421
        SSID parameter set: "\000"
        Supported Rates: 1.0(B) 2.0(B) 5.5(B) 6.0(B) 9.0(B) 11.0(B) 12.0(B) 18.0(B) 
        DS Parameter set: Current Channel: 4
        Traffic Indication Map (TIM): DTIM 1 of 2 bitmap empty
        ERP Information: no Non-ERP STAs, use protection, short or long preambles
        Extended Supported Rates: 24.0(B) 36.0(B) 48.0(B) 54.0(B) 
        Cisco Unknown 1 + Device Name
        Vendor Specific: Aironet Unknown
        Vendor Specific: Aironet CCX version = 4
        Vendor Specific: Aironet Unknown
        Vendor Specific: WME

Whenever a station associates with an access point, it sends an Association Request which contains the SSID value, and anyone listening in on the traffic can observe this in the clear. If the station is momentarily disconnected from the network, it may attempt to automatically re-connect by sending a Reassociation Request packet. Again, this contains the SSID value.

        Capability Information: 0x0421
        Listen Interval: 0x000a
        SSID parameter set: "myhomessid"
        Supported Rates: 1.0(B) 2.0(B) 5.5(B) 6.0(B) 9.0(B) 11.0(B) 12.0(B) 18.0(B) 
        Vendor Specific: WME
        Extended Supported Rates: 24.0(B) 36.0(B) 48.0(B) 54.0(B)

Thus, while hiding the SSID might have some applications (such as preventing click-clumsy neighbors from accidentally connecting to your network), in no way does it stop anyone with more than a passing curiosity to find your network.

Another "security" feature that is still occasionally recommended by some folks is MAC address filtering. This is where the access point is configured to only accept connections from stations with known hardware addresses which are supposedly unique throughout the world. The problem here is that while this may prevent some people from connecting to your network, these hardware addresses are always visible in the air by design and easily spoofed / masqueraded by attackers with minimal, basic knowledge of networking protocols. With just a little bit of work, bypassing this "security setting" is trivial.

    Type/Subtype: QoS Data (0x28)
    Frame Control: 0x0188 (Normal)
    Duration: 48
    BSS Id: Cisco_27:80:10 (00:1e:4a:27:80:10)
    Source address: Intel_cb:4b:f8 (00:0e:35:cb:4b:f8)
    Destination address: D-Link_3c:43:e2 (00:0f:3d:3c:43:e2)
    Fragment number: 0
    Sequence number: 45
    Frame check sequence: 0x3933ac37 [correct]
    QoS Control

See that stuff in red above? Yup, all of that juicy hardware addressing information is proudly displayed in the clear in every packet header. Isn't it lovely? Encryption only affects the payload, not the layer 2 headers.

The first security implementation designed for Wi-Fi is the bastardized system known as WEP. While it does add cryptography to the connection, it has a fatal Achilles' heel in the form of short, 24-bit Initialization Vector (IV) values, IV collisions, and so-called "weak IVs" which with sufficient traffic (which can be also be artificially generated by attackers) allows for easy predictability in determining the actual key used for encrypting each data packet. The key itself is either 40-bit or 104-bit, with the 24-bit IV making up the rest of the marketed "64-bit" or "128-bit" value. Every black hat cracker goes through WEP Cracking 101 on the first day of class.

There are two variations to WEP security: Open System and Shared Key. While the overall functionality is essentially the same, during the 802.11 Authentication process the Shared Key system requires the access point to send a challenge to the station. The station must then encrypt this challenge with the WEP key and send it back over to the access point. Anyone observing this can perform offline computations and determine the valid key. Essentially, Shared Key WEP is more or less giving attackers clues and leaving bread crumbs behind. Bummer.

        Authentication Algorithm: Shared key (1)
        Authentication SEQ: 0x0001
        Status code: Successful (0x0000)

        Authentication Algorithm: Shared key (1)
        Authentication SEQ: 0x0002
        Status code: Successful (0x0000)
    Tagged parameters (130 bytes)
        Challenge text
            Tag Number: 16 (Challenge text)
            Tag length: 128
            Tag interpretation: Challenge text: A7C97BDD03CB4DEA7F218DE71165663BC711E42FAA70E980...

            Data: 9016A96845407B32F34ADD18245057983F67E52980E85FC1...

Open System has no challenge and is the same as a normal 802.11 Authentication process:

        Authentication Algorithm: Open System (0)
        Authentication SEQ: 0x0001
        Status code: Successful (0x0000)

        Authentication Algorithm: Open System (0)
        Authentication SEQ: 0x0002
        Status code: Successful (0x0000)

For any practical amount of security, WEP is certainly not the way to go due to the ease in which the key can be determined using free tools and the computing power available to most people. Depending on conditions, such as when a large download is generating many packets, a 128-bit key with a randomly-generated value can be predicted in under 10 minutes. WEP has been considered a broken security implementation since 2001. If you really believe WEP will save your life, be sure to post your social security number online and bank account number as well. The rest of us need to eat.

Although the idea behind Wi-Fi Protected Access (WPA) using a pre-shared key seems similar to WEP, the way the actual encryption keys are generated is vastly different and more complex. The following is a packet trace of a WPA connection being initialized:

Basic 802.11 association and WPA 4-way handshake

The WPA negotiation happens immediately after the basic 802.11 association process, and the basic association process itself has some very minor differences (although the overall sequence is exactly the same). The Beacon from the access point advertises the WPA capability:

        Timestamp: 0x000000000CB52196
        Beacon Interval: 0.102400 [Seconds]
        Capability Information: 0x0431
        SSID parameter set: "myhomessid"
        Supported Rates: 1.0(B) 2.0(B) 5.5(B) 6.0(B) 9.0(B) 11.0(B) 12.0(B) 18.0(B) 
        DS Parameter set: Current Channel: 4
        Traffic Indication Map (TIM): DTIM 0 of 2 bitmap empty
        ERP Information: no Non-ERP STAs, do not use protection, short or long preambles
        Extended Supported Rates: 24.0(B) 36.0(B) 48.0(B) 54.0(B) 
        Cisco Unknown 1 + Device Name
        Vendor Specific: WPA
        Vendor Specific: Aironet Unknown
        Vendor Specific: Aironet CCX version = 4
        Vendor Specific: Aironet Unknown
        Vendor Specific: WME
        Vendor Specific

The station's Association Request also mentions WPA:

        Capability Information: 0x0431
        Listen Interval: 0x000a
        SSID parameter set: "myhomessid"
        Supported Rates: 1.0(B) 2.0(B) 5.5(B) 6.0(B) 9.0(B) 11.0(B) 12.0(B) 18.0(B) 
        Vendor Specific: WPA
        Vendor Specific: WME
        Extended Supported Rates: 24.0(B) 36.0(B) 48.0(B) 54.0(B) 

After the Association Response is confirmed from the access point, the station sends an "EAP over LAN" (EAPOL) Start message to the access point to initialize the WPA negotiation:

    Version: 1
    Type: Start (1)
    Length: 0

The passphrase that is configured on both the station and access point is combined with the SSID value, the SSID length, then hashed 4096 times to produce a 256-bit Pairwise Master Key (PMK) value.

This PMK is the starting point for a 4-way handshake between the station and access point. Since both the station and access point have the same passphrase in their wireless configuration, they can independently compute the same PMK value and then start the handshake process to compute the PTK (Pairwise Transient Key) value.

1) The access point generates the first nonce value ("A Nonce") and sends it to the station:

    Version: 1
    Type: Key (3)
    Length: 95
    Descriptor Type: EAPOL WPA key (254)
    Key Information: 0x0089
        .... .... .... .001 = Key Descriptor Version: HMAC-MD5 for MIC and RC4 for encryption (1)
        .... .... .... 1... = Key Type: Pairwise key
        .... .... ..00 .... = Key Index: 0
        .... .... .0.. .... = Install flag: Not set
        .... .... 1... .... = Key Ack flag: Set
        .... ...0 .... .... = Key MIC flag: Not set
        .... ..0. .... .... = Secure flag: Not set
        .... .0.. .... .... = Error flag: Not set
        .... 0... .... .... = Request flag: Not set
        ...0 .... .... .... = Encrypted Key Data flag: Not set
    Key Length: 32
    Replay Counter: 2
    Nonce: 71DAA577B1C701F20BEFA0ED0634EA5B9893D4C7B07D8950...
    Key IV: 00000000000000000000000000000000
    WPA Key RSC: 0000000000000000
    WPA Key ID: 0000000000000000
    WPA Key MIC: 00000000000000000000000000000000
    WPA Key Length: 0

2) When the station receives the A Nonce, it proceeds to generate its own nonce value ("S Nonce"). Using both nonces, combined with the MAC addresses of both itself and the access point, it computes a PTK. Then it sends the S Nonce value along with a Message Integrity Check (MIC) value to the access point:

    Version: 1
    Type: Key (3)
    Length: 121
    Descriptor Type: EAPOL WPA key (254)
    Key Information: 0x0109
        .... .... .... .001 = Key Descriptor Version: HMAC-MD5 for MIC and RC4 for encryption (1)
        .... .... .... 1... = Key Type: Pairwise key
        .... .... ..00 .... = Key Index: 0
        .... .... .0.. .... = Install flag: Not set
        .... .... 0... .... = Key Ack flag: Not set
        .... ...1 .... .... = Key MIC flag: Set
        .... ..0. .... .... = Secure flag: Not set
        .... .0.. .... .... = Error flag: Not set
        .... 0... .... .... = Request flag: Not set
        ...0 .... .... .... = Encrypted Key Data flag: Not set
    Key Length: 0
    Replay Counter: 2
    Nonce: 65A8A74F6A57B73E41C6F90B734174A702622A3E3E10AEA2...
    Key IV: 00000000000000000000000000000000
    WPA Key RSC: 0000000000000000
    WPA Key ID: 0000000000000000
    WPA Key MIC: 012E5B343D422A5A4833BE2B34B703BC
    WPA Key Length: 26
    WPA Key: DD180050F20101000050F20201000050F20201000050F202...
        Vendor Specific: WPA
            Tag Number: 221 (Vendor Specific)
            Tag length: 24
            Tag interpretation: WPA IE, type 1, version 1
            Tag interpretation: Multicast cipher suite: TKIP
            Tag interpretation: # of unicast cipher suites: 1
            Tag interpretation: Unicast cipher suite 1: TKIP
            Tag interpretation: # of auth key management suites: 1
            Tag interpretation: auth key management suite 1: PSK
            Tag interpretation: Not interpreted

3) The access point receives the S Nonce, and using the A Nonce it sent earlier (along with the MAC addresses of the station and itself) computes the PTK. This PTK should be the same value as computed by the station. It then sends an acknowledgement back to the station with its own MIC (note that the nonce value below is the same as the original one sent out earlier):

    Version: 1
    Type: Key (3)
    Length: 121
    Descriptor Type: EAPOL WPA key (254)
    Key Information: 0x01c9
        .... .... .... .001 = Key Descriptor Version: HMAC-MD5 for MIC and RC4 for encryption (1)
        .... .... .... 1... = Key Type: Pairwise key
        .... .... ..00 .... = Key Index: 0
        .... .... .1.. .... = Install flag: Set
        .... .... 1... .... = Key Ack flag: Set
        .... ...1 .... .... = Key MIC flag: Set
        .... ..0. .... .... = Secure flag: Not set
        .... .0.. .... .... = Error flag: Not set
        .... 0... .... .... = Request flag: Not set
        ...0 .... .... .... = Encrypted Key Data flag: Not set
    Key Length: 32
    Replay Counter: 3
    Nonce: 71DAA577B1C701F20BEFA0ED0634EA5B9893D4C7B07D8950...
    Key IV: 00000000000000000000000000000000
    WPA Key RSC: 0000000000000000
    WPA Key ID: 0000000000000000
    WPA Key MIC: 774CDA6E4F6416BFF5AE3657B0AE723F
    WPA Key Length: 26
    WPA Key: DD180050F20101000050F20201000050F20201000050F202...
        Vendor Specific: WPA
            Tag Number: 221 (Vendor Specific)
            Tag length: 24
            Tag interpretation: WPA IE, type 1, version 1
            Tag interpretation: Multicast cipher suite: TKIP
            Tag interpretation: # of unicast cipher suites: 1
            Tag interpretation: Unicast cipher suite 1: TKIP
            Tag interpretation: # of auth key management suites: 1
            Tag interpretation: auth key management suite 1: PSK
            Tag interpretation: Not interpreted

4) The station acknowledges receipt to the station:

    Version: 1
    Type: Key (3)
    Length: 95
    Descriptor Type: EAPOL WPA key (254)
    Key Information: 0x0109
        .... .... .... .001 = Key Descriptor Version: HMAC-MD5 for MIC and RC4 for encryption (1)
        .... .... .... 1... = Key Type: Pairwise key
        .... .... ..00 .... = Key Index: 0
        .... .... .0.. .... = Install flag: Not set
        .... .... 0... .... = Key Ack flag: Not set
        .... ...1 .... .... = Key MIC flag: Set
        .... ..0. .... .... = Secure flag: Not set
        .... .0.. .... .... = Error flag: Not set
        .... 0... .... .... = Request flag: Not set
        ...0 .... .... .... = Encrypted Key Data flag: Not set
    Key Length: 0
    Replay Counter: 3
    Nonce: 000000000000000000000000000000000000000000000000...
    Key IV: 00000000000000000000000000000000
    WPA Key RSC: 0000000000000000
    WPA Key ID: 0000000000000000
    WPA Key MIC: 3F15A54E70FEFE82F63D91B9EBEA1C80
    WPA Key Length: 0

The resulting PTK will be unique for each association session as the nonce values are different each time. The PTK itself is composed of several parts, one of which is the actual encryption key used to encrypt each unicast packet. As the 4-way handshake is now complete and both sides have installed the same set of keys, data can now be passed for DHCP negotiation, etc.. Except of course, it's now all encrypted.

However, if an attacker were to learn the PMK value, then as long as the two nonce values in the 4-way handshake are intercepted (as they traverse the air in clear text), then she can decrypt the packets in real-time. The common way of determining the PMK cryptographically is by dictionary or brute force based on a captured trace file. Therefore, choose your WPA passphrase carefully; make it 20 or more characters (preferably 63) using random sequences of upper / lower alphanumeric and special characters. Or use a random string generator. And don't use a common SSID value either, like "linksys"; just make it unique enough to identify the network as yours. Otherwise, you're just asking for it since rainbow tables are big these days.

WPA and WPA2 share much of the same overall quality, although the actual encryption algorithm and integrity checking method used is slightly different. WPA2 relies on a stronger, but more computationally-intense algorithm called Advanced Encryption Standard (AES). Many older Wi-Fi cards cannot support this through firmware updates. WPA and WPA2 cannot be mixed in some environments. For example, a wireless card which supports only WPA using Temporal Key Integrity Protocol (TKIP) cannot associate with an access point that is configured to only do WPA2 with AES / CCMP. That said, WPA with TKIP is still a very strong security option. Just be sure to choose a strong passphrase.

While WPA or WPA2 using a pre-shared key is fine and dandy, it runs into the same problem as WEP in terms of management scalability. If you have 100 employees using a common WPA passphrase, and one employee who knows the passphrase leaves (or is fired), you have to change all 100 workstations to a new value (as well as all the access points in the infrastructure), otherwise your former employee has the ability to log onto your network or decrypt all traffic in the air anonymously. A headache and a half. You have better things to do and eBay auctions to monitor.

The real power of Wi-Fi security magic comes into play when you use 802.1X, the way 802.11i was meant to be deployed. It's like WPA, but without a static pre-shared key. 802.1X (this is not "802.11X") is another IEEE standard originally created for wired networks, but adapted for wireless. This article won't go in-depth on this particular subject area due to the number of variances on how the authentication can be implemented, as well as to maintain brevity.

When using WPA-PSK or WPA2-PSK, the only thing the access point (and thus the network itself) authenticates is the device since every station uses the same passphrase value and thus has an identical starting point value (the PMK). With 802.1X, every user on the station has to present unique identity credentials to the network. This can be the typical username / password combo, or it could be a certificate or other form of credential. The user authentication sequence happens after the 802.11 association process, but before the PMK is derived and the 4-way handshake occurs. The additional benefit is that the PMK is dynamically-generated between the station and access point for each authenticated session. There's no passphrase seed entered into the station or access point beforehand. The two 4-way handshake nonces are still dynamically-generated to create the PTK. The beauty of the system is that the PMK is not sent over the air in cleartext. This makes cryptographically attacking 802.1X-enabled networks much more difficult from a cracker's perspective and with current technology relatively impractical to break.

However, 802.1X is much more complicated to set up and far more difficult to troubleshoot (which is why it's usually done by larger organizations who has the staff and knowledge to configure it). The amount of traffic generated is significantly more, although in practical real-time terms, connectivity is still measured in split-seconds. A RADIUS server as well as a public key infrastructure will need to be incorporated into the network. The access points will also need to support the use of 802.1X. This essentially eliminates most consumer-grade access points from consideration, although some may be used if configured with OpenWRT. In addition, the RADIUS server will also need to support the specific EAP type planned to be used. As an example, Microsoft IAS only supports EAP-TLS and PEAP. Cisco ACS can also do LEAP. Funk (now Juniper) SBR goes one step further and supports EAP-TTLS (it was Funk that developed this EAP method). FreeRADIUS will practically do anything except provide you with an official support contract.

The 802.1X framework allows the network administrators to select a specific authentication protocol (referred to as "EAP method" in reference to the Extensible Authentication Protocol type) that suits the environment's needs. For example, this could be a mutual-authentication system where both the server and client authenticate each other via certificates, or where the client authenticates the server by certificate but the server authenticates the client by a password, etc.. These are usually referred by their given EAP type nomenclatures such as EAP-TLS, EAP-TTLS / MS-CHAPv2, EAP-TTLS / PAP, PEAP, EAP-FAST, etc.. If you enjoy memorizing lengthy acronyms and their meanings, this subject is for you. Windows XP and Vista, by the way, only support EAP-TLS and PEAP out of the box. To use another EAP type, another supplicant will need to be installed.

You may also hear about two older ones: EAP-MD5 and Cisco LEAP. These have been proven to be susceptible to offline attacks. Avoid them unless you're a high-stakes gambler and feelin' lucky.

Going the 802.1X route is the best solution for 802.11 security, which is why many large organizations who require strong security implement such infrastructures ... but it's not for the faint of heart, and it certainly isn't practical for almost all home users (or small businesses, for that matter). There's a lot of moving parts to coordinate and it can be difficult to debug. Add on the complexities of a PKI deployment in a large environment and you have a recipe for an Ibuprofen overdose. But if you want to show-off to your friends and bag on them about their girlie-man "pre-shared key" systems, setting up one of these will guarantee some frustration for attackers. Don't be surprised if they decide to use social engineering instead.