What would be the best security design for a campus environment, EAP or LEAP?

Authentication usually occurs during the 802.1X exchange, carried by some type of Extensible Authentication Protocol (EAP). You can think of 802.1X as a postal carrier and EAP as an envelope containing a letter. The postman (802.1X) delivers the envelope (EAP), but the content of each envelope (authentication method) varies. In 802.1X, the authentication method depends on the "EAP type."

To date, there have been 45 EAP types registered -- for a complete list, see the IANA Web site. Lightweight EAP (LEAP) is registered as "EAP-Cisco Wireless." It is a proprietary EAP type defined by Cisco to enable password authentication between stations and APs, using a challenge-response protocol. When using LEAP, the user's station can be configured with a specific wireless username/password, or the user's Windows login/password can be re-used for wireless authentication. This is one way of providing user authentication for wireless, but not the more secure way of doing so.

As it turns out, LEAP has been proven vulnerable to "cracking" attacks. Someone who records the LEAP challenge/response can run a brute-force guessing or dictionary attack, trying to figure out the password used to generate the user's apparently correct response. Once the attacker figures out the password, he/she can gain access to the wireless LAN by logging in with that user's name and password. The attacker doesn't have to be a security expert to do this -- open source attack tools like Anwrap, Asleap, and LEAPcracker are readily available to process captured packets in this fashion.

An EAP type that is far more resistant to attack and considered very secure is EAP-TLS (EAP Transport Layer Security). EAP-TLS provides mutual authentication between the station (user) and an authentication server, based on digital certificates. This is great if you have digital certificates for all your users, or can readily issue then from your Certificate Authority. Organizations (like yours) that prefer to use a "legacy authentication" method like login/password need to select another EAP type. That's where EAP-TTLS and PEAP come in.

EAP Tunneled TLS (TTLS) and Protected EAP (PEAP) accomplish their goals in slightly different ways, but both authenticate the server with a certificate and the station (user) with a legacy method (like username/password). Although there are some risks associated with these EAP types, they are probably the most popular secure WLAN authentication methods today. To use EAP-TTLS, you'd need to install "802.1X supplicant" software on every station -- for example, Funk's Odyssey Client. Windows XP SP1 and SP2 have PEAP built-in, but you'd need to install software on stations running other operating systems. Some WLAN adapters come with 802.1X supplicants for EAP-TTLS and/or PEAP, so that can also be a factor in your decision. To learn more about EAP types, I recommend this Meetinghouse white paper (PDF).

Finally, you asked about security for a campus WLAN environment. Many campuses do not require 802.1X authentication because they do not have complete control over the kinds of operating systems, network adapters, and client software that stations use. Instead, many campuses use SSL-based web login, where users enter login/password to gain access to the network attached to the wireless LAN. SSL portals do nothing to encrypt the actual wireless traffic sent by users after the finish logging in, but they do keep the user's credentials safe from eavesdropping during the authentication process. SSL portal login isn't the most secure alternative overall, but many organizations find this to be a practical alternative for secure user authentication. Some combine WPA/802.1X wireless security for stations that have the necessary client software, and SSL portal login for stations that don't (e.g., visitors, new users, users with hard-to-support devices).